SLL Observatory


The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.

https://www.eff.org/observatory 

Faça o seu próprio datacenter

A Facebook lançou um projecto de hadware e datacenter "código aberto" que explica como fazer um datacenter de grandes dimensões eficiente.

Open Compute Project

Vulnerabilidades Java

Oracle Java SE Critical Patch Update Advisory - October 2011

This Critical Patch Update contains 20 new security fixes for Oracle Java SE.  19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

 

mais de 1 milhão de sites afectados por ataque de injecção de SQL

Over a million web sites affected in mass SQL injection attack  

By Dancho Danchev | October 19, 2011, 4:10am PDT

Summary: Security researchers from Armorize have intercepted a mass SQL injection attack, targeting ASP ASP.NET websites.

Duqu, o novo Stuxnet?

A Symantec publicou informação sobre um virus semelhante ao Stuxnet, baptizado Duqu (não confundir com o Conde Dooku).

"Key points:
•    Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
•    The executables are designed to capture information such as keystrokes and system information.
•    Current analysis shows no code related to industrial control systems, exploits, or self-replication.
•    The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
•    The exfiltrated data may be used to enable a future Stuxnet-like attack."

Mais informação:
W32.Duqu: The Precursor to the Next Stuxnet

spyware made in Alemanha

It has been pretty chaotic in German Chancellor Angela Merkel's cabinet ever since the Chaos Computer Club dumped some alarming technology news in her lap. Turns out that the German government's "lawful interception" application, supposedly designed only to monitor IP telephone calls, is just a little more powerful than the police let on.
Berlin-based CCC released its analysis of Germany's "Quellen-TKÜ" ("source wiretapping") trojan on Saturday. The results weren't pretty. Despite a constitutional court ban on the use of malware to crack PCs, the state-sanctioned malware's makers didn't even bother to add technical barriers ensuring that the code would only be used for tapping Internet telephone conversations.
"On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer," CCC's report noted.
But that's only the start of what this application can do:
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC—owing to the poor craftsmanship that went into this trojan—is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.
 Notícia completa na ArsTechnica

Confidencialidade e privacidade na cloud

Um artigo meu recente sobre esse tema:

Francisco Rocha, Salvador Abreu, Miguel Correia. The Final Frontier: Confidentiality and Privacy in the Cloud, IEEE Computer, vol. 44, n. 9, pp. 44-50, Sep. 2011. (abstract/pdf)

O problema que queremos evitar é o de o cloud provider aceder a dados do utilizador. A solução é usar o Trusted Platform Module para atestar que o software que está nos servidores é de confiança.

Crime-sourcing

Um artigo longo e muito interessante sobre crime-sourcing, a versão criminosa do croudsourcing:

From crowdsourcing to crime-sourcing: The rise of distributed criminality
How criminals are applying crowdsourcing techniques.  by Marc Goodman  29 September 2011
O'Reilly Radar

Crowdsourcing began as a legitimate tool to leverage the wisdom of the crowds to solve complex business and scientific challenges. Unfortunately, these very same techniques are increasingly being adopted by the criminal underground for nefarious purposes.

(....)

Eventually, specialties emerged and criminal enterprises learned to outsource all tasks not within their specific areas of expertise. For example, in a standard phishing operation, an organized crime group might commission the creation of a scam web page and contact a secondary broker to get a list of thousands of email addresses. Using another intermediary, the crime group would get access to a compromised computer and rent a botnet to distribute the spam emails for a period of agreed upon time, such as 12 or 24 hours.

As hapless victims readily provided their banking and credit card information, the data would be culled and forwarded to the contracting criminals. The crime group would likely rent a distributed proxy network to obfuscate their true locations and to run transactions against the compromised accounts.

Of course, all this money needs to be received, processed and laundered in a way that protects the criminal enterprise, and there are numerous illicit techniques for hiring unsuspecting participants to take on the task. The most common is to place an ad in a print newspaper or an online publication offering opportunities to "work from home" and make "quick money" as an "importer/exporter."

(...)

One of the more interesting developments in crowdsourced offenses has been the birth of the crime "flash mob." The practice of crime flash mobs has become so common that the media have now coined a term "flash robs" to describe the ensuing theft and violence. In these cases groups of individual criminals, who may or may not even know each other, are organizing themselves online and suddenly descending into unsuspecting stores to steal all that they can in a flash. The unsuspecting merchant has little he can do when 40 unruly strangers suddenly run into his shop and run off with all his merchandise. Dozens of these cases have occurred, including one in which co-conspirators planned an attack via Facebook and Twitter that lead to the pillaging of a Victoria's Secret store in London.

(...)

In perhaps one of the most ingenious uses of crime-sourcing seen to date, a bank robber in Seattle utilized Craigslist to recruit a crowd of unwitting participants to facilitate his escape. In the days leading up to the robbery, the perpetrator placed an ad on Craigslist seeking workers for a purported road-maintenance project paying $28.50 an hour. He instructed his "contractors" to show up at a street location at the exact place and time an armored car was to be delivering cash to a local Bank of America.

(...)

5 piores práticas na cifração de bases de dados

Interessante. A lista:

1. Storing Keys In The Wrong Place
2. Failing To Centralize Key Management
3. Depending On Home-Brew Solutions
4. Leaving Backups Unencrypted
5. Using Out-of-Date Cryptographic Algorithms

O artigo completo:
http://www.darkreading.com/database-security/167901020/security/news/231900083/five-worst-practices-in-database-encryption.html?pgno=1#articleArea

Mapas de redes à venda?

"Existe-t-il des entreprises américaines qui vendent les cartographies des réseaux informatiques sur les entreprises d’un pays vendues avec le pack de logiciels pour rentrer dans les vulnérabilités de la cible. C’est la question qui est évoquée dans certains milieux bien informés. Le prix d’achat de cette étude par pays serait de 1 million de dollars. Aucun logiciel espion n’est glissé dans les logiciels vendus aux futurs utilisateurs de ces armes intrusives mais personne ne garantit que le vendeur ne communique pas l’information sur l’acheteur de l’étude en question à la NSA.

Trois noms reviennent régulièrement dans les discussions de couloir : Endgames (qui n’a plus de site web pour rester encore plus discret), HB Gary (et HB Gary Federal qui ne travaille que pour le gouvernement américain) et Palantir.

Le site numerama.com résume ainsi l’affaire : les Anonymous ont voulu donner une leçon à tous ceux qui s’attaqueraient à eux, en piratant et en publiant les e-mails de la société HBGary qui avait voulu identifier certains de ses membres. Un document Powerpoint portant l’entête de la société Palantir avait été présenté à Bank of America. “Ensemble, Palantir Technologies, HBGary Federal et Berico Technologies apportent l’expertise et l’approche nécessaires pour combattre efficacement la menace Wikileaks”, disait la présentation qui détaillait les moyens de détruire Wikileaks, en s’attaquant à sa réputation et à ses sources, par des méthodes parfois illicites. Il était par exemple dit, ce qui étonnamment n’a pas beaucoup choqué, que “puisque les serveurs sont désormais en Suède et en France, rassembler une équipe pour y avoir accès est plus simple”. Le document proposait de réaliser des “cyber-attaques contre l’infrastructure pour obtenir des données sur ceux qui soumettent des documents”.

Palantir Technologies a reconnu l’existence du document qui détaillait les actions possibles contre Wikileaks. Le Président de Palentir Technologies a annoncé qu’il coupait toute relation avec  la société HBGary dont certains e-mails avaient été  piratés par les Anonymous."

Fonte: Knowckers.org
Artigo completo