Advanced Persistent Threats

Prepare for the "Advanced Persistent Threat"

"A recent string of cyberattacks against large companies, government contractors, financial institutions, and even security providers themselves has highlighted a new type of heist: the advanced persistent threat, or APT.

This spring, these ambitious attacks have hit organizations that have valuable data and the resources to defend it well, including Google, Citigroup, and the International Monetary Fund. A recent APT-style attack on RSA, which provides security technology to some of the biggest banks, alarmed RSA's high-profile clients and appears to have led to an intrusion at Lockheed Martin, an RSA customer.

Unlike recent website takeovers by brazen "hacktivists" or massive thefts of credit card data, APTs are elaborate and sustained con jobs that are difficult to detect. (....)"

Artigo completo no MIT Technology Review: http://www.technologyreview.com/business/37767/?nlid=4613#

malware pay-per-install

Novo negócio: pague para ver o seu malware instalado nos comjputadores das vítimas. Custo: entre 7 e 180 dólares por milhar de instalações.

"New research suggests that the majority of personal computers infected with malicious software may have arrived at that state thanks to a bustling underground market that matches criminal gangs who pay for malware installations with enterprising hackers looking to sell access to compromised PCs.

Pay-per-install (PPI) services are advertised on shadowy underground Web forums. Clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges rates from $7 to $180 per thousand successful installations, depending on the requested geographic location of the desired victims.

The PPI services also attract entrepreneurial malware distributors, or "affiliates," hackers who are tasked with figuring out how to install the malware on victims' machines. Typical installation schemes involve uploading tainted programs to public file-sharing networks; hacking legitimate websites in order to automatically download the files onto visitors; and quietly running the programs on PCs they have already compromised. Affiliates are credited only for successful installations, via a unique and static affiliate code stitched into the installer programs and communicated back to the PPI service after each install."

Artigo original:
Most Malware Tied to 'Pay-Per-Install' Market
http://www.technologyreview.com/computing/37705/?a=f

Blog no smartphone

Hoje o blog foi tornado compatível com smarphones. Basta abrir
http://www.seguranca-informatica.net/ num browser no telemóvel. Boa leitura!

Impacto da cultura da empresa nos sistemas e iCloud da Apple

Um artigo muito interessante sobre o impacto que a cultura da empresa tem nos sitemas. O artigo alega que a Apple tem uma cultura que favorece a excelência das interfaces e o fracasso nos sistemas distribuídos de larga escala, enquanto o contrário se passa com a Google.

Fourth time's a charm? Why Apple has trouble with cloud computing
http://arstechnica.com/apple/news/2011/06/fourth-times-a-charm-why-icloud-faces-long-odds.ars
Ars Technica

Segurança nas empresas: Sony e CISOs

"Major corporations have made serious mistakes with information security recently, resulting in spectacular failures to protect business and customer records. After years of warnings, why do so many businesses still fail to deal properly with this issue? Eugene H. Spafford, a professor of computer science at Purdue University who frequently advises government, law enforcement, and big companies, has some ideas. He spoke with technology journalist Brian Krebs for Technology Review.

(....)

Spafford: Some business management organizations simply do not have a proper IT security organization, and often that function is still kept under the company's chief information officer. When that happens, the people who deal with security are way down the line, and they don't have [access to] the CEO or the company's board. So the security function of that organization isn't funded and doesn't have the authority at a high enough level to really operate the way it should. Many IT organizations have grown up from the level of system administrators who started at the bottom of the organizational hierarchy. These typically are people with computer science and technical training, but they don't speak business. They don't always understand risk or cost-benefit analyses. As a result, they are not able to present the business case for security and privacy issues. We learned recently that Sony didn't have a chief information security officer [CISO] prior to the attacks that exposed personal and financial data of more than 100 million customers."

Entrevista completa: Making the case for security