Módulo de segurança com o Arduino

Nestes tempos de Arduinos e Raspberry Pis, um projecto que faz de um Arduino um módulo de segurança. A ideia é muito simples e o módulo serve só para autenticação na Amazon AWS.

Signing AWS Requests With Your Arduino

5 melhores hacks de 2012

The 5 Coolest Hacks Of 2012

1. Beating Cybercriminals At Their Own Game
Let's just say the phony antivirus scammers dialed the wrong number.

2. Airplane Hack
The FAA's new air traffic control system has holes so big that a fake plane could fly through them.

3. Infiltrating The Smart Meter
All eyes have been on the smart grid, with its state-of-the-art technology and potentially more secure infrastructure than legacy critical infrastructure systems. But like any new technology, it has its flaws security-wise, and in one case, in the infrared "eye" in the smart meter itself.

4. RATs With Bugs
Remote access Trojans/tools -- a.k.a. RATs -- are a cybercriminal's best friend. A pair of interns for Matasano Security discovered that some popular RATs can actually be exploited to help turn the tables on the attackers behind them.

5. Videoconference Bugs The Boardroom
Renowned researcher and Metasploit creator HD Moore late last year scanned a snapshot of addressable Internet space in search of high-end videoconferencing systems that might be found in corporate boardrooms. What he found was unnerving: a quarter of a million systems that spoke H.323, the protocol used by videoconferencing systems.

texto completo em Darkreading

Hacking the TV for fun and profit

How an Internet-connected Samsung TV can spill your deepest secrets
Hack demonstrates the growing vulnerability of consumer devices.

If you use a Samsung "Smart TV" that's connected to the Internet, there's a good chance Luigi Auriemma can hack into the device and access files stored on connected USB drives.

The researcher with Malta-based security firm ReVuln says he has uncovered a vulnerability in most Samsung models that makes it easy for him to locate their IP address on the Internet. From there, he can remotely access the device and exercise the same control someone in the same room would have. That includes gaining root access and installing malicious software. The attack exploits bugs in features that allow end users to install Skype, Pandora, and other types of apps. The TVs can be controlled using smartphone and tablet apps and in some cases by voice commands.

notícia completa na ArsTechica

Hackers presos 2012

Um artigo engraçado sobre os principais hackers presos em 2012:

The Biggest Hacker Busts Of 2012
By Ericka Chickowski, Contributing Writer
Dark Reading

A lista:

Sabu's Lulzsec Pals: Ryan Ackroyd, Jake Davis, Darren Martyn, Jeremy Hammond, and Donncha O'Cearrbhail

Sony's Revenge: Raynaldo Rivera

The Hacker Formerly Known As ACK!3STX

The Higinio O.Ochoa Hacker "Bust"

Pirate Bay Founder Arrg-rested: Gottfrid Svartholm

Russian Bot Herder: Dmitry Zubakha

Credit Card Sting: Nikhil Kolbekar

Crime And Punishment In Hacker Land: Hermes

You Can't Elude Agent Smith: Barrett Brown

Bitter Pill For TeaMp0isoN

Ciber-rapto de registos médicos

Cybercriminals Hold Australian Medical Clinic Electronic Patient Records Hostage

ABC News Australia published a report this week about a small medical clinic in Queensland, Australia that discovered cybercriminals, apparently Russian in origin, had been able to break through both the clinic’s server firewall and password system and successfully encrypted all of the clinic’s patient electronic medical records. Thousands of patient files are now said to be inaccessible.

The cybercriminals reportedly are demanding the clinic pay A$4000 to decrypt the information, something that the clinic so far is refusing to do. The clinic's owner says that he is worried that if the clinic does pay, the cybercriminals will decrypt only a small number of patient records, and then demand additional ransom monies on promises to decrypt the remainder, and so on. Right now, the clinic is trying to determine how many patient records can be rebuilt from information retrievable from pharmacists and hospitals, but the owner admits it is “very, very, very difficult” to operate effectively without access to the clinic's patient records.

This incident seems to be just the latest in a trend that is following the increasing digitalization of electronic medical records. A Bloomberg story from August describes several incidents of similar extortion demands in the United States from clinics as well as thefts of electronic medical records.

Healthcare providers seem to be an especially good target of opportunity for cybercriminals. According to a new benchmark survey published by the Ponemon Institute, some 94% of U.S. healthcare organizations have suffered a data breach in the past two years, and 45 percent have admitted to experiencing five such breaches over the same period. In addition, Ponemon's survey reports that "54 percent of organizations have little or no confidence that they can detect all patient data loss or theft," which isn't surprising, given that 73 percent of healthcare providers surveyed admit that they "still have insufficient resources to prevent and detect data breaches... and  67 percent of organizations don’t have controls to prevent and/or quickly detect medical identity theft."

You may remember from a few years ago that the state of Virginia's Prescription Monitoring Program website containing prescription information on 530 000 patients was similarly attacked. A cybercriminal claimed to have stolen the patients’ prescription information, encrypted it in a file, and deleted the data. He (or she) demanded in a ransom note left on the website US $10 million for the information's safe return. While state officials (eventually) admitted the website was indeed breached and information likely taken, the state also said that it had all the patient information securely backed up. No ransom was ever paid, and the would be extortionist has never been caught.

As a story in NetworkWorld commenting on the Australian medical clinic situation noted, organizations which have securely stored sensitive information offline or in the cloud have been the most successful in keeping such extortionists at bay.

notícia completa na IEEE Spectrum online

10 Histórias de Segurança de 2012

da ZDnet:

10 security stories that shaped 2012

Summary: From a major malware attack on the Mac OS X to state-sponsored cyber-espionage attacks, IT security in 2012 will be remembered as the year that piqued the imagination.


1. Flashback hits Mac OS X

Although the Mac OS X Trojan Flashback/Flashfake appeared in late 2011, it wasn't until April 2012 that it became really popular. At its peak, Flashback infected more than 700,000 Macs, easily the biggest known MacOS X infection to date. How was this possible? Two main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.

2. Flame and Gauss: nation-state cyber-espionage campaigns

In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. The malware responsible for the attacks, named “Wiper”, was never found – although several pointers indicated a resemblance to Duqu and Stuxnet. During the investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.

Of course, when Flame was discovered, people wondered how many other campaigns like this were being mounted. And it wasn’t long before others surfaced. The discovery of Gauss, another highly sophisticated Trojan that was widely deployed in the Middle East, added a new dimension to nation-state cyber campaigns.

3. The explosion of Android threats

During 2011, we witnessed an explosion in the number of malicious threats targeting the Android platform. We predicted that the number of threats for Android will continue to grow at an alarming rate. The number of samples continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs. Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011. That’s also about five times more than all the malicious Android samples we received since 2005 altogether!

4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks

These attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions. We explored this last year during the Sony Playstation Network hack; there is perhaps no surprise such huge leaks and hacks continued in 2012.

5. The Adobe certificates theft and the omnipresent APT

On 27 September 2012, Adobe announced the discovery of two malicious programs that were signed using a valid Adobe code signing certificate. Adobe’s certificates were securely stored in an HSM, a special cryptographic device which makes attacks much more complicated. Nevertheless, the attackers were able to compromise a server that was able to perform code signing requests.

6. The DNSChanger shutdown

When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI. It was a large scale action that showed that success against cybercrime can be achieved through open cooperation and information sharing.

7. The Ma(h)di incident

During late 2011 and the first half of 2012, an ongoing campaign to infiltrate computer systems throughout the Middle East targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. In partnership with Seculert, Kaspersky Lab investigated this operation and named it “Madi”, based on certain strings and handles used by the attackers.

Although Madi was relatively unsophisticated, it did succeed in compromising many different victims around the globe through social engineering and Right-To-Left-Override tactics. The Madi campaign demonstrated yet another dimension to cyber-espionage operations in the Middle East and one very important thing: low investment operations, as opposed to nation-state sponsored malware with an unlimited budget, can be quite successful.

8. The Java 0-days 

In the aftermath of the previously mentioned Mac OS X Flashback attack, Apple took a bold step and disabled Java across millions of Mac OS X users. It might be worth pointing out that although a patch was available for the vulnerability exploited by Flashback since February, Apple users were exposed for a few months because of Apple’s tardiness in pushing the patch to Mac OS X users. The situation was different on Mac OS X, because while for Windows, the patches came from Oracle, on Mac OS X, the patches were delivered by Apple.

9. Shamoon

In the middle of August, details appeared about a piece of highly destructive malware that was used in an attack against Saudi Aramco, one of the world’s largest oil conglomerates. According to reports, more than 30,000 computers were completely destroyed by the malware.

Detailed analysis of the Shamoon malware found that it contained a built-in switch which would activate the destructive process on 15 August, 8:08 UTC. Later, reports emerged of another attack of the same malware against another oil company in the Middle East.

Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it.

10. The DSL modems, Huawei banning and hardware hacks

In October 2012, researcher Fabio Assolini published the details of an attack which had been taking place in Brazil since 2011 using a single firmware vulnerability, two malicious scripts and 40 malicious DNS servers. This operation affected six hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.

artigo completo no site da ZDnet

Top 25 de passwords

Da ZDnet:

After it was discovered that more than six million LinkedIn passwords had been leaked as well as many at Last.fm and eHarmony, no one has stopped talking about password and passcode security.


Case in point, take a look at this new report from IT security consultant Mark Burnett. Self-described as someone who "loves writing about passwords," Burnett has compiled a list of the "top 500 worst (aka most common) passwords" based on a variety of methods he has detailed on his blog.

Here are the top 25, as extracted by antivirus solution provider ESET. Is yours one of them? If so, it's safe to say you should consider changing it to something stronger immediately.


Mais vulnerabilidades em sistemas SCADA

do Slashdot:

"It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."

Notícia relacionada: Critical infrastructure software has fundamental security vulnerabilities - warning, ComputerWorld

O crime não compensa

ou toma cuidado com quem atacas (fonte: Slashdot):

"A pretrial hearing in the case against accused LulzSec hacker Jeremy Hammond this week ended with the 27-year-old Chicago man being told he could be sentenced to life in prison for compromising the computers of Stratfor. Judge Loretta Preska told Hammond in a Manhattan courtroom on Tuesday that he could be sentenced to serve anywhere from 360 months-to-life if convicted on all charges relating to last year's hack of Strategic Forecasting, or Stratfor, a global intelligence company whose servers were infiltrated by an offshoot of the hacktivist collective Anonymous.

Novo Rootkit faz injecção de iFrames

A few days ago, an interesting piece of Linux malware came up on the Full Disclosure mailing-list. It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario.


Técnicas de hacking 2012

Estava a rever o relatório Russian Underground 101 da TrendMicro, que me foi reenviado por um amigo. O interessante é que o relatório pode servir como uma lista das técnicas usadas pelos hackers actuais: cifra de ficheiros, servidores dedicados, proxies, VPNs, ataques nível aplicação (SQLI, etc.), social engineering, etc etc.

Reserva territorial

A ideia tem andado a aparecer nos últimos tempos: a criação de uma ciber-reserva territorial para ajudarem na defesa do país em caso d eciber-guerra.

Following Sandy, DHS seeks security ‘Cyber Reserve’
By Taylor Armerding

November 02, 2012 — CSO — The damage to the electrical grid from Superstorm Sandy is just a taste of what could happen from a major cyberattack, says Department of Homeland Security (DHS) Secretary Janet Napolitano.

And a DHS task force said this week that one way to minimize that kind of risk is to recruit a "Cyber Reserve" of computer security pros that could be deployed throughout the country to help the nation defend and recover from such an attack.

Napolitano and other high government officials have been preaching about the escalating threats, particularly from hostile nation states like Iran, Russia and China, for some time.
The Hill reported that at a cybersecurity event hosted by the Washington Post, Napolitano said while recent news has been about financial institutions being hit with Distributed Denial of Service (DDoS) attacks, the nation's control systems for major infrastructure like utilities and transportation infrastructure were also being targeted.

The Secretary used Hurricane Sandy to make the point. "If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities," Napolitano said.


notícia completa no CSO

7 coisas sobre o ciber-crime russo

7 things you didn't know about Russia's cybercrime market

Last Tuesday, security firm Trend Micro released a research paper summarizing -- with several tantalizing details, naturally -- the cybercriminal underground in Russia, and it's an eye-opening read, to say the least.
The paper is based on data gathered from online forums and services used by Russian cybercriminals, contextualized by articles written by hackers on their activities. In other words, the company toured the badlands so you don't have to, and is now reporting back with intelligence.
We're not talking about hobbyists, by the way. We're talking about people who make a living doing this.
If you regularly peruse popular cybercrime forums such as antichat.ru, xeka.ru, and cardingcc.com, none of this will be news to you. But if you run a company that handles sensitive data -- these days, that's basically all of them -- there are some things you might like to know.
Seven things you probably didn't know:

Smart meters vulneráveis

Um estudo recente mostra que os smart meters usados para ler remotamente consumos de electricidade podem ser vulneráveis e fornecer informação privada dos utilizadores. O estudo refere-se a smart meters que usam comunicação wireless (existem outros que comunicam sobre a rede eléctrica).

Automated meter reading systems make life easy for intruders

(Phys.org)—Intruders of the break-in and snooping variety have their work cut out for them by just picking up wireless signals that are broadcast by utility meters, say researchers from the University of South Carolina at Columbia, IEEE and Rutgers. As with many other technological advances that bring new pathways for criminals, advances in meters have created concerns about intrusions. Millions of analogue meters to measure water, gas and electricity consumption have been replaced by automated meter reading (AMR) in the U.S. The newer method enables devices to broadcast readings by radio every 30 seconds for utility company employees to read as they walk or drive around with a receiver.

Notícia completa em Phys.org: http://phys.org/news/2012-10-automated-meter-life-easy-intruders.html#jCp

An aerial view of the neighborhood where the researchers performed their eavesdropping experiments. Each blue triangle or red star represents a group of four or five meters mounted in a cluster on an exterior wall. Using an LNA and a 5 dBi omnidirectional antenna, they were able to monitor all meters in the neighborhood. Some sniffed meters may be out of the scope of this view. Credit: Ishtiaq Rouf et al.
(com agradecimentos ao Diego Kreutz)

Ciber-guerra 2.0

"A recent weapons flight test in the Utah desert may change future warfare after the missile successfully defeated electronic targets with little to no collateral damage.

Boeing [NYSE: BA] and the U.S. Air Force Research Laboratory (AFRL) Directed Energy Directorate, Kirtland Air Force Base, N.M., successfully tested the Counter-electronics High-powered Microwave Advanced Missile Project (CHAMP) during a flight over the Utah Test and Training Range that was monitored from Hill Air Force Base.

CHAMP, which renders electronic targets useless, is a non-kinetic alternative to traditional explosive weapons that use the energy of motion to defeat a target.

Notícia completa no site da Boeing

A cara de um hacker

Irritada com os contantes ataques, a Georgia publicou um relatório com diversos detalhes interessantes, incluindo duas fotografias de um alegado hacker.
Notícia na ZDnet

Suporte a AES nos CPUs Intel

do site do TrueCrypt:

Some processors (CPUs) support hardware-accelerated AES encryption,* which is typically 4-8 times faster than encryption performed by the purely software implementation on the same processors.
By default, TrueCrypt uses hardware-accelerated AES on computers that have a processor where the Intel AES-NI instructions are available. Specifically, TrueCrypt uses the AES-NI instructions that perform so-called AES rounds (i.e. the main portions of the AES algorithm).** TrueCrypt does not use any of the AES-NI instructions that perform key generation.
Note: By default, TrueCrypt uses hardware-accelerated AES also when an encrypted Windows system is booting or resuming from hibernation (provided that the processor supports the Intel AES-NI instructions).
To find out whether TrueCrypt can use hardware-accelerated AES on your computer, select Settings >Performance and check the field labeled 'Processor (CPU) in this computer supports hardware acceleration for AES'.
To find out whether a processor you want to purchase supports the Intel AES-NI instructions (also called "AES New Instructions"), which TrueCrypt uses for hardware-accelerated AES, please check the documentation for the processor or contact the vendor/manufacturer. Alternatively, click here to view an official list of Intel processors that support the AES-NI instructions. However, note that some Intel processors, which the Intel website lists as AES-NI-supporting, actually support the AES-NI instructions only with a Processor Configuration update (for example, i7-2630/2635QM, i7-2670/2675QM, i5-2430/2435M, i5-2410/2415M). In such cases, you should contact the manufacturer of the motherboard/computer for a BIOS update that includes the latest Processor Configuration update for the processor.


Uma longa lista de fuzzers no site do livro "Fuzzing: Brute Force Vulnerability Discovery": http://www.fuzzing.org/

Vulnerabilidades em apps Android

Popular Android Apps Vulnerable
Security study finds flawed SSL implementations in more than 1,000 Android apps.

Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
(com agradecimentos ao Diego Kreutz) 

Negócio na ciber-guerra

"só um ‘rookie’ pode ignorar esta ‘bonanza’"

A oportunidade da ciberguerra para… os investidores
Inteligência Económica

CloudFlare e DDoS

A CloudFlare opera uma content distribution network (CDN) e é especialista em proteger sites de ataques DDoS. O artigo explica como o consegue com 23 datacenters à volta do mundo e usando Anycast.

One big cluster: How CloudFlare launched 10 data centers in 30 days

On August 22, CloudFlare, a content delivery network, turned on a brand new data center in Seoul, Korea—the last of ten new facilities started across four continents in a span of thirty days. The Seoul data center brought CloudFlare's number of data centers up to 23, nearly doubling the company's global reach—a significant feat in itself for a company of just 32 employees.


In the two years since its launch, the content delivery network and denial-of-service protection company has helped keep all sorts of sites online during global attacks, both famous and infamous—including recognition from both Davos and LulzSec. And all that attention has amounted to Yahoo-sized traffic—the CloudFlare service has handled over 581 billion pageviews since its launch.

Yet CloudFlare does all this without the sort of Domain Name Service "black magic" that Akamai and other content delivery networks use to forward-position content—and with only 32 employees. To reach that level of efficiency, CloudFlare has done some black magic of a different sort, relying on open-source software from the realm of high-performance computing, storage tricks from the world of "big data," a bit of network peering arbitrage and clever use of a core Internet routing technology.

In the process, it has created an ever-expanding army of remote-controlled service points around the globe that can eat 60-gigabit-per-second distributed denial of service attacks for breakfast.


CloudFlare's CDN is based on Anycast, a standard defined in the Border Gateway Protocol—the routing protocol that's at the center of how the Internet directs traffic. Anycast is part of how BGP supports the multi-homing of IP addresses, in which multiple routers connect a network to the Internet; through the broadcasts of IP addresses available through a router, other routers determine the shortest path for network traffic to take to reach that destination.

Using Anycast means that CloudFlare makes the servers it fronts appear to be in many places, while only using one IP address. "If you do a traceroute to Metallica.com (a CloudFlare customer), depending on where you are in the world, you would hit a different data center," Prince said. "But you're getting back the same IP address."

That means that as CloudFlare adds more data centers, and those data centers advertise the IP addresses of the websites that are fronted by the service, the Internet's core routers automatically re-map the routes to the IP addresses of the sites. There's no need to do anything special with the Domain Name Service to handle load-balancing of network traffic to sites other than point the hostname for a site at CloudFlare's IP address. It also means that when a specific data center needs to be taken down for an upgrade or maintenance (or gets knocked offline for some other reason), the routes can be adjusted on the fly.


artigo completo no site da ArsTechnica

Ataques 0-day piores do que se pensava

Zero-day attacks are meaner, more rampant than we ever thought

Computer attacks that target undisclosed vulnerabilities are more common and last longer than many security researchers previously thought. The finding comes from a new study that tracked the number and duration of so-called zero-day exploits over three years.

The typical zero-day attack, by definition, exploits software flaws before they are publicly disclosed. It lasts on average 312 days, with some lasting as long as two and a half years, according to the study by researchers from antivirus provider Symantec. Of the 18 zero-day attacks the researchers found between 2008 and 2011, 11 of them previously went undetected. Recent revelations that the Stuxnet malware that sabotaged Iranian nuclear facilities relied on five zero days already underscored the threat posed by such attacks. But the researchers said their findings suggest the menace may be even greater.

"Zero-day attacks are difficult to prevent because they exploit unknown vulnerabilities, for which there are no patches and no anti-virus or intrusion-detection signatures," they wrote. "It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks. In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought—perhaps more than twice as many."

Researchers Leyla Bilge and Tudor Dumitras conducted a systematic study that analyzed executable files collected from 11 million computers around the world from February 2008 to March 2012. Three of the zero-day exploits they found were disclosed in 2008, seven were disclosed in 2009, six were disclosed in 2010, and two were disclosed in 2011. (The binary reputation data the researchers relied on prevented them from identifying attacks in 2012.) An attack on many versions of Microsoft Windows, which appears to have gone undetected as a zero day until now, had the shortest duration: just 19 days. An exploit of a separate security bug in the Windows shell had the longest duration: 30 months.

notícia completa no site da ArsTechnica

Food for thought: Duas empresas tecnológicas chinesas consideradas "ameaças à segurança" dos EUA

Dá que pensar...

Duas empresas tecnológicas chinesas consideradas "ameaças à segurança" dos EUA

Duas das maiores empresas tecnológicas e fabricantes de smartphones do mundo, as chinesas Huawei e ZTE, são acusadas pelos EUA de representarem uma ameaça à segurança do país. Uma comissão da Câmara dos Representantes recomenda às empresas norte-americanas que evitem fazer negócios com as duas companhias chinesas.

"A China tem meios, oportunidades e motivos para usar as empresas de telecomunicações para fins maliciosos", lê-se num relatório da comissão de segurança da Câmara dos Representantes, que é na sua maioria composta por membros do Partido Republicano.

No mesmo documento, afirma-se que "a Huawei e a ZTE não conseguiram acalmar as preocupações desta comissão pelos problemas de segurança decorrentes da sua contínua expansão nos Estados Unidos. Dado o seu comportamento obstrucionista, a comissão acredita que este facto tornou imperativa a procura de uma solução para este problema".

O relatório da comissão de segurança do Congresso recomenda mesmo às empresas norte-americanas que não façam negócios com a Huawei e com a ZTE por causa das alegadas ligações destas duas companhias ao Governo chinês: "Com base em várias informações – sigilosas e públicas –, não podemos considerar que a Huawei e a ZTE estejam livres da influência de um Estado estrangeiro e, portanto, constituem uma ameaça à segurança dos Estados Unidos e aos nossos sistemas."

notícia completa no site do Público

NIST escolhe o SHA-3, Keccak

NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

From NIST Tech Beat: October 2, 2012

"The National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security.

The winning algorithm, Keccak (pronounced “catch-ack”), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm."

Notícia no site do NIST

Explicação do Keccak

(com agradecimentos à Ibéria Medeiros)

Secretas inglesas aconselham empresas sobre ciber-segurança

Business leaders urged to step up response to cyber threats

The UK’s most senior business leaders are getting new advice on how to better tackle the growing cyber threats to their companies.

Currently, too few company chief executives and chairs take a direct interest in protecting their businesses from cyber threats.

So now, for the first time, the Government and intelligence agencies are directly targeting the most senior levels in the UK’s largest companies and providing them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property.

Today, the Government is launching Cyber Security Guidance for Business at an event attended by FTSE 100 CEOs and Chairs, Ministers from the Department for Business, Innovation and Skills (BIS), Foreign Office, Cabinet Office, Home Office and senior figures from the intelligence agencies.

Business Secretary Vince Cable said:

“Cyber security threats pose a real and significant risk to UK business by targeting valuable assets such as data and intellectual property. By properly protecting themselves against attacks companies are protecting their bottom line.

“Ensuring this happens should be the responsibility of any chief executive or chair as part of an approach to good corporate governance which secures a business for the long-term.”

notícia completa

Vulnerabilidade em modems DSL afecta 4,5 milhões no Brasil

DSL modem hack used to infect millions with banking fraud malware

Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.

The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil's Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

"This is the description of an attack happening in Brazil since 2011 using 1 firmware vulnerability, 2 malicious scripts and 40 malicious DNS servers, which affected 6 hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems," Assolini wrote in a blog post published on Monday morning. "This enabled the attack to reach network devices belonging to millions of individual and business users, spreading malware and engineering malicious redirects over the course of several months."

Assolini said the mass attack was the result of a "perfect storm" brought on by the inaction of a variety of key players, including ISPs, modem manufacturers, and the Brazilian governmental agency that approves network devices, but failed to test any of the modems for security.

It remains unclear which modem manufacturers and models are susceptible to the attacks. Assolini said a vulnerability disclosed in early 2011 appears to be caused by a chipset driver included with modems that use hardware from communications chip provider Broadcom. It allows a CSRF attack to take control of the administration panel and capture the password set on vulnerable devices. Assolini doesn't know precisely when, but at some point attackers began exploiting the vulnerability on millions of Brazilian modems. In addition to pointing the devices to malicious DNS servers, the attackers also changed the device passwords so it would be harder for victims to change the malicious settings.

notícia completa no site da ArrTechnica

DIAP arquiva queixa contra partilha de ficheiros

DIAP arquiva queixa contra partilha de ficheiros por ser "impossível" identificar responsáveis 

O Departamento de Investigação e Acção Penal de Lisboa arquivou uma queixa da Associação do Comércio Audiovisual, Obras Culturais e de Entretenimento de Portugal por partilha de ficheiros na Internet, por considerar ser "impossível" identificar os responsáveis. A associação vai pedir a nulidade do despacho, por considerar que "nem sequer houve inquérito", e a Sociedade Portuguesa de Autores diz-se "perplexa", afirmando que "não vai ficar de braços cruzados".

Notícia completa e despacho do DIAP no site do Público

China e o Comment Group

Hackers Linked to China’s Army Seen From EU to D.C.

The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.

Over 10 days last July, the hackers returned to the council’s computers four times, accessing the internal communications of 11 of the EU’s economic, security and foreign affairs officials. The breach, unreported until now, potentially gave the intruders an unvarnished view of the financial crisis gripping Europe.

And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of the biggest and busiest hacking groups in China.

Observed for years by U.S. intelligence, which dubbed it Byzantine Candor, the team of hackers also is known in security circles as the Comment group for its trademark of infiltrating computers using hidden webpage computer code known as “comments.”

During almost two months of monitoring last year, the researchers say they were struck by the sheer scale of the hackers’ work as data bled from one victim after the next: from oilfield services leader Halliburton Co. (HAL) to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd. (ITC)

continua: http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html

Portugal no top das partilhas de ficheiros

... e lucros das discográficas sobrem, apesar da pirataria. Se as contas fossem feitas em downloads per capita devíamos estar bem mais acima.

Do Público online:

Portugal entre os 20 países com mais partilhas ilegais de música

17.09.2012 - 16:44 Por Alexandre Martins

Um relatório sobre as tendências do consumo de música digital em todo o mundo mostra que os portugueses estão entre os mais activos na partilha ilegal de ficheiros. Portugal surge em 13.º lugar na lista dos 20 países que mais fogem das lojas físicas e online, mas é só fazer as contas para se perceber que o país sobe para o top 5 na relação entre o número de habitantes e o número de partilhas. E quem é o artista mais popular entre os “piratas” portugueses? O espanhol Pablo Alborán, que cantou com a fadista Carminho a canção “Perdóname”.  

O primeiro Índice de Música Digital, elaborado pela empresa Musicmetric, apresenta-se como “o estudo mais detalhado de sempre sobre o panorama da música digital em todo o mundo”. O relatório analisa o consumo legal e ilegal de música em serviços de venda directa ou streaming como o iTunes, 7Digital, Spotify, WiMP e Deezer; em redes sociais e sites de partilha de vídeo e áudio como o Facebook, Twitter, YouTube, SoundCloud ou Last.fm; e em sites que alojam e/ou dão acesso à pesquisa de ficheiros torrent, como o ThePirateBay.

Apesar do óbvio crescimento da partilha ilegal de ficheiros, o estudo conclui que as receitas das editoras discográficas no sector da venda de música digital subiram 8% em 2011, para 5,2 mil milhões de dólares (quase 4 mil milhões de euros). As receitas cresceram mesmo em relação a 2010 (de 5% para 8%), naquela que foi a primeira subida em dois anos consecutivos desde que a Federação Internacional da Indústria Fonográfica começou a registar os dados, em 2004.

O estudo chama também a atenção para uma realidade que já transformou em estrelas muitos artistas que há uma década teriam poucas hipóteses de pisar os grandes palcos: “É evidente que num mundo em que há mais artistas do que nunca, conseguir que as pessoas pelo menos ouçam a música de um determinado artista é um factor determinante para o seu crescimento.” Por exemplo, para além do Facebook, as séries televisivas são cada vez mais importantes na relação entre a música e os potenciais consumidores, salienta o estudo.

Portugal em grande nos torrents

A ideia de “conseguir que as pessoas pelo menos ouçam a música de um determinado artista” inclui, naturalmente, os sites de partilha ilegal. “A tendência mostra-nos que nos primeiros seis meses de 2012, o número total de downloads através de clientes BitTorrent foi de 405 milhões, sendo 78% álbuns e 22% singles”, destaca o relatório.

É verdade que estes sites não vivem só do alojamento e da oferta de pesquisa de músicas protegidas por direitos de autor detidos por grandes empresas discográficas – é disso exemplo o auto-intitulado “artista e produtor Electro” Billy Van, que licenciou o seu EP "The Cardigan" para distribuição na rede BitTorrent.

Com licença ou sem licença, os portugueses destacam-se neste particular: dos 20 países que mais partilharam ficheiros de música, Portugal surge na 13ª posição, com um total de 5.597.198 partilhas nos primeiros seis meses de 2012. Em comparação, a Suécia – pátria do controverso ThePirateBay e do primeiro Partido Pirata – ficou em 19.º lugar, com 4.074.594 partilhas.

Fazendo as contas à comparação entre o número de partilhas e o número de habitantes por país, Portugal sobe para a 5.ª posição, apenas atrás do Reino Unido, de Itália, do Canadá e da Austrália.

Em termos absolutos, os Estados Unidos são o país com mais partilhas (96.868.398), seguidos do Reino Unido (43.314.568), de Itália (33.226.258), do Canadá (23.953,053) e do Brasil (19.677.596).

Nitol = supply chain attack

Microsoft descobre que o bot da botnet Nitol é introduzido nos PCs numa "unsecure supply chain", ou seja, na fábrica, distribuidor ou na loja, antes de chegar ao consumidor. Um bom exemplo de um supply chain attack.

Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

OWASP Broken Web Apps

A OWASP lançou uma máquina virtual chamada OWASP Broken Web Apps ou OWASPBWA. É uma VM para o VMware, embora seja fácil convertê-la para Virtual Box.

A VM tem várias aplicações web vulneráveis a correr. A interface é apenas uma shell que serve para fazer configurações (não tem interface gráfica). Para usar/atacar as aplicações utiliza-se um browser a correr no computador hospedeiro.Se for preciso usar um proxy, este tem também de estar instalado no hospedeiro.

Uma lista das aplicações vulneráveis está no user guide, mas de qualquer modo aqui ficam algumas: OWASP WebGoat e WebGoat.NET, Mutillidae, Damn Vulnerable Web Application, Ghost, Vicnum, Wordpress, Joomla, etc. etc.

Petrolífera saudita sofre ataque informático

Connecting the Dots After Cyberattack on Saudi Aramco


In a statement on Sunday, Khalid al-Falih, Aramco’s chief executive, said Aramco had restored its main internal network services after they were “impacted on Aug. 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations.”


To support their claim, they posted blocks of what they claimed were the infected I.P. addresses to Pastebin, a Web site often used by hackers to post data from such attacks. The group said it had attacked the government-owned oil company in retribution for what it said was the Saudi government’s support for “oppressive measures” in the Middle East.

The attack was the first significant use of malware by so-called hacktivists — hackers who attack for political reasons rather than for profit. Hacktivist groups like LulzSec and Anonymous typically recruit volunteers to flood a Web site with traffic until it goes offline. In this case, hackers used a malicious virus that was intended to inflict more harm.

Security researchers at Symantec, the computer security firm, said that hours after the attack, they received a sample of the virus they believe was responsible. The virus, named Shamoon after a word in its code, was designed to overwrite critical files with an image of a burning American flag. The researchers discovered instructions in Shamoon’s code, what is known as a “kill timer,” to attack at 4:08 a.m. on Aug. 15 — the same time hackers said they had destroyed Saudi Aramco’s computers.

Symantec’s researchers said that they had received the sample of malware from an outside security researcher who discovered it on a computer “in the Middle East.” They declined to identify that researcher or specify the country or organization where the virus was found. But Vikram Thakur, a senior researcher with Symantec’s response team, said it was “extremely likely” that Shamoon was used in the attack on Saudi Aramco.


notícia completa

Router para infraestruturas críticas vulnerável

Secret account in mission-critical router opens power plants to tampering

The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees.

The line of mission-critical routers manufactured by Fremont, California-based GarrettCom contains an undocumented account with a default password that gives unprivileged users access to advanced options and features, Justin W. Clarke, an expert in the security of industrial control systems, told Ars. The "factory account" makes it possible for untrusted employees or contractors to significantly escalate their privileges and then tamper with electrical switches or other industrial controls that are connected to the devices.

GarrettCom boxes are similar to regular network routers and switches except that they're designed to withstand extreme heat and cold, as well as dry, wet, or dusty conditions. They're also fluent in the Modbus and DNP communications protocols used to natively administer industrial control and supervisory control and data acquisition gear.

Search results recently returned by the Shodan computer search engine showed nine of the vulnerable devices connected to the Internet using US-based IP addresses. If the default credentials haven't been changed, the undocumented factory account can allow people with guest accounts to gain unfettered control of the devices, said Clarke, who is a researcher with Cylance, a firm specializing in security of industrial systems.

"Cylance has identified an unforeseen method whereby a user authenticated as 'guest' or 'operator' can escalate privileges to the 'factory' account," an advisory published by the company warned. Clarke told Ars he discovered the account after buying a device off of eBay for $12 and analyzing the way it worked. Clarke is the same researcher who discovered an undocumented account with a hard-coded password in a similar line of mission-critical switches sold by GarrettCom competitor RuggedCom.

The Industrial Control Systems Cyber Emergency Response Team has issued an advisory recommending users of the GarrettCom devices install a security update that locks down the factory account.

artigo completo na ArsTechnica

Análise das duas vulnerabilidades do Java

Java 0day analysis (CVE-2012-4681)


A couple of days ago, a Java 0day was found running like crazy in the wild. While a lot of defense bunnies where asking "WWMAD" (What will my Antivirus do?), we decide to dive into Java for the details of the vulnerability and as we expected, the unpatched vulnerabilities used in the Gondvv exploit were more than one (When we said, "dive deep into Java", we actually meant open our new Infiltrate 2013 Master Class slide deck which will include a full day of Java auditing).
The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check.

The beauty of this bug class is that it provides 100% reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353). 

As a final note, the bug was introduced in Java 7.0 released in July 28, 2011. While you are feeling the rush of blood going through your veins while by getting all those shell being pop, think that somewhere not far way (Probably a 10hs flight from some of the major airports in Norte Americana) was enjoying it non-stop for quite some time now.

Vulnerabilidade crítica no Java

O subtítulo diz tudo: ""Please, for the love of your computer, disable Java on your browser."

Attack targeting critical Java bug added to hack-by-numbers exploit kit


On Monday night, about 24 hours after the vulnerability became public, attack code exploiting it was added to BlackHole, an exploit kit sold in underground forums, security researchers said. A quick inspection of the BlackHole attack by antivirus provider F-Secure found it used many of the same coding conventions contained in a proof-of-concept exploit published earlier by security researcher Joshua Drake. It also added to the Metasploit exploit framework used by penetration testers and hackers.

"There being no latest patch against this, the only solution is to totally disable Java," F-Secure researchers wrote. "Since this is the most successful exploit kit + zero-day... que horror. Please, for the love of your computer disable Java on your browser."

Researchers from Symantec on Tuesday reported two websites that are actively wielding the exploit, up from the single site discovered on Sunday.


Artigo completo na ArsTechnica

Big brother meets the internet

ou como espiar todo o tráfego (de uma parte) da internet:

Big Brother on a budget: How Internet surveillance got so cheap 
Deep packet inspection, petabyte-scale analytics create a "CCTV for networks."

When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.

The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.

Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what's going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”


texto completo no site da ArsTechnica

Mind hackers

'Mind hackers' could get secrets from your brainwaves

Security researchers have used cheap Emotiv headsets to capture people's subconscious responses to stimuli and use them to uncover data directly from their subjects' brains. It's a theoretical risk to privacy and security that could become significant with further advances in technology

notícia completa no site da ZDnet

Um hack "épico"

Mat Honan da Wired sofreu um ataque "épico", para usar o termo dele mesmo: ficou sem as suas contas da Google e Twitter e sem todos os seus dados iPhone, iPad, e MacBook. Tudo graças a vulnerabilidades de autentição. O caso vem contado num artigo da Wired:

How Apple and Amazon Security Flaws Led to My Epic Hacking
By Mat Honan     August 6, 2012

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. 

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz. 


Sites de embaixadas portuguesas atacados

Sites de embaixadas portuguesas atacados por piratas informáticos


Os sites de várias embaixadas portuguesas, incluindo em Teerão, Londres e Madrid, foram nos últimos dias alvo de ataques de piratas informáticos que, em alguns casos, deixaram assinaturas que ainda permanecem visíveis.

Foram registados dois ataques separados assinados pelos grupos Net-DeViL e Sanfour 25, sendo que o primeiro alterou páginas das embaixadas no Irão, Reino Unido e Republica Checa deixando uma mensagem anti-Estados Unidos da América. O ataque da Sanfour 25 visou as embaixadas de Berlim, Madrid e Maputo e atingiu zonas dos sites que, normalmente, não são visitados pelos utilizadores. [interessante frase]

O grupo Sanfour 25 visou ainda o site da Autoridade Nacional para a Proibição das Armas Químicas. A mensagem deixada pelo grupo Net-DeViL já foi retirada, mas a assinatura deixada pelo Sanfour 25 continuava, ao final da manhã de hoje, ainda visível nas páginas que visou. Neste último caso, as páginas em questão foram substituídas por uma página em branco onde se pode ler, no canto superior esquerdo, as palavras “Sanfour 25”, assinatura do grupo. 

A informação inicial foi remetida à Lusa pelo site websegura e confirmada pela Lusa nos sites das embaixadas de Berlim e Madrid, tendo fonte diplomática explicado que, no caso de Madrid, o site está alojado num servidor em Portugal.

A informação sobre o ataque terá sido canalizada inicialmente pela embaixada em Berlim, tendo Madrid remetido também a informação para Lisboa. A Lusa contactou a embaixada de Portugal em Maputo, que disse desconhecer a situação porque está com uma falha temporária de Internet.

Recomendações sobre a BIOS

New BIOS guidelines aim to keep malware out of computer's nether regions

A US governmental organization in charge of standardizing scientific measurements and technologies has proposed new security guidelines for the BIOS mechanisms that most computers rely on to boot up.
The new guidelines are intended to make the Basic Input/Output System more resistant to malware attacks that target the system firmware. Over the past few years, at least two trojans, one called Mebromi and another proof-of-concept demonstration, have been able to survive reboots operating-system reinstalls and evade antivirus protection by burrowing deep inside an infected computer.
"Unauthorized modification of a BIOS firmware by malicious software constitutes a significant threat because of the BIOS's unique and privileged position within the PC architecture," the new set of guidelines, which were published earlier this week by the National Institute of Standards and Technology, stated. "Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence."
The guidelines, which pertain to BIOSes found in computer servers, detail four proposed features, including authenticated update mechanisms, an optional secure local update mechanism, firmware integrity protections, and a mechanism to prevent system components for bypassing BIOS protections. In April NIST published proposed guidelines for BIOSes found in PCs.
Interested parties have until September 14 to comment on the proposed server guidelines. Comments may be sent by e-mail to 800-147comments@nist.gov.

roubo de dados de 8,7 milhões de utilizadores de telemóveis

Two arrested for hacking personal data of 8.7 million phone users

KT Corp., South Korea's second largest wireless service provider, has
apologized after personal data of 8.7 millions of its mobile phone
subscribers was stolen by hackers. The details are suspected to have
been sold to marketing firms, netting the hackers close to $1 million.


Não sei como é o jogo, mas o nome é engraçado!

Control-Alt-Hack™ is a tabletop card game about white hat hacking (...)

You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical (a.k.a., white hat) hackers who perform security audits and provide consultation services. Their motto? "You Pay Us to Hack You."

Your job is centered around Missions - tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed. Use your Social Engineering and Network Ninja skills to break the Pacific Northwest's power grid, or apply a bit of Hardware Hacking and Software Wizardry to convert your robotic vacuum cleaner into an interactive pet toy...no two jobs are the same. So pick up the dice, and get hacking!


Do criador da ModSecurity. "The next-generation open source web application firewall engine, designed to be modular, portable, and efficient, and to give you the tools you need to defend sites from attack."

IronBee versus ModSecurity

After spending a couple of weeks talking about IronBee to anyone willing to listen, I have assembled a list of commonly asked questions. Not unexpectedly, the question that tops the list is about the difference between ModSecurity and IronBee.
With IronBee we had a luxury of starting a brand new project with a wealth of experience and a clear idea of what we want to achieve long-term. (This is completely the opposite from where I was when I started ModSecurity.) Thus, we were able to look at our goals and choose the best path to reach them. Because so much of our lives were spent with ModSecurity, the first thing we did was look at its successes and limitations, with the idea that we should keep what's good and improve what's not as good. Two not so good things of ModSecurity stuck out: the lack of a community of developers and the fact that ModSecurity runs only in the Apache web server.
To deal with that, we do two core things differently:
  • Community focus. We are making IronBee as open as it can be, not only by using a non-viral open source licence (Apache Software License v2), but also by adopting a transparent community-oriented approach to project management and development. We have also designed IronBee to be highly modular, so that adding to it does not have to mean having to understand the entire architecture and operation. Time will tell, but the idea is that giving up tight control will make for a better open source project in the long run.
  • Abstracted data acquisition and host-container interaction model. IronBee is built as a framework from ground up, with focus on portability among web servers and a variety of deployment models (embedded, proxy, passive, batch, etc). Hence the universal application security sensor wording. We want you to have access to IronBee no matter what your platform is. (....)


Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!


Fim da botnet "Grum"

Grum, World's Third-Largest Botnet, Knocked Down

I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.

The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported that while CnC servers in Panama and Russia were alive, shutting down the Dutch server had at least made a dent in this botnet. On the morning of July 17, I got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot. I explained in my earlier post that Grum was comprised of two different segments. One was being controlled from Panama and one from Russia.

With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.
I immediately shared this new information with three different parties—Carel Van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the pseudonym Nova7. After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, July 18, at 11:00 AM PST.

Note: The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD.

It was their upstream provider who finally came in and null routed the IP address at our request.
According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.
Note: We should not take 120,000 IP addresses as the size of the Grum botnet. 120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing email traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites.


Every takedown that I have participated in, such as Srizbi, Rustock 1, Ozdok, and Cutwail 1, has given me a unique experience. So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.

Fim do DNS Changer?

No Público, com um título hiper-creativo:

A Internet não acaba segunda-feira mas 300 mil computadores podem ficar offline 

A próxima segunda-feira foi anunciada em alguns sites e redes sociais como uma tragédia, um apagão mundial. Mas, de acordo com o FBI, serão cerca de 300 mil os computadores em todo o mundo que não terão acesso à Internet no dia 9 de Julho, numa tentativa de acabar com o vírus DNS Changer. Só os computadores infectados com o vírus correm este risco.

O vírus, que foi criado em 2007 por seis estonianos detidos no ano passado, é, segundo o relatório do FBI disponível online, um tipo de malware que controla o computador dos utilizadores, redireccionando-os para sites fraudulentos.

De acordo com Paul Vixie, presidente da empresa Internet Systems Consortium (ISC), que está a apoiar o FBI nesta operação, o DNS Changer chegou a atingir cerca de 650 mil computadores em todo o mundo, estimando-se que o crime tenha rendido 20 milhões de dólares em quatro anos aos seus criadores.

Para acabar de vez com o vírus, as autoridades norte-americanas criaram uma rede de segurança para proteger os utilizadores atingidos. No entanto, esta foi apenas uma solução temporária e a validade da rede expira às 12h do dia 9 de Julho, segunda-feira. Para evitar que os internautas vejam o seu computador impossibilitado de aceder à Internet, o FBI lançou um alerta pedindo que todos os utilizadores confirmem o estado das suas máquinas. Se estiverem infectados e não recorrerem a nenhuma ferramenta para eliminar o vírus, na segunda-feira estes computadores não terão acesso à Internet.

Segundo a revista Time, é possível verificar se um computador está infectado através de um site especialmente criado para o efeito e se o resultado for positivo, basta eliminar o malware. O procedimento está explicado aqui (em inglês).

Drone atacado


Grupo da Universidade do Texas alerta para perigos associados aos aviões não tripuladosInvestigadores norte-americanos piratearam um “drone” em pleno voo
Público 29.06.2012

Um grupo de investigadores da Universidade de Austin, no Texas, conseguiu assumir o controlo de um “drone” durante o voo e demonstrar o risco de utilizar este tipo de aparelhos.

Os “drones” são aviões não tripulados e controlados à distância, muitas vezes a milhares de quilómetros, e têm sido usados sobretudo em teatros de guerra, como no conflito no Afeganistão. Um grupo de investigadores do Texas conseguiu agora provar que é possível piratear estes aparelhos e enganá-los através de uma técnica designada por “spoofing”.

Através desta técnica, o aparelho interpreta o sinal enviado por “hackers” como se fosse o dos satélites GPS, o que permite assumir o controlo do avião depois de o seu sistema informático ser “enganado”. O sistema GPS do aparelho recebe um sinal mais poderoso do que aquele que lhe é enviado pelos satélites, explicou à FOX News Todd Humphreys, professor do Laboratório de Radionavegação da Universidade do Texas.

O avião passa assim a responder a informação falsa que lhe parece real, e neste caso passou a ser controlado por um aparelho que Humphreys descreveu como o mais avançado “spoofer” construído até hoje, mas que terá custado apenas cerca de mil dólares.

Esta investigação demonstra os potenciais perigos da utilização de “drones”, sublinhou a BBC. Desta vez foi pirateado o sistema GPS de um aparelho que pertence à Universidade do Texas, mas isso não significa que não existam experiências semelhantes em cenários de conflito. Terá sido um método semelhante que levou à queda de um “drone” norte-americano no Irão, em 2011.

Os resultados desta investigação já foram apresentados ao Departamento de Segurança norte-americano, durante uma experiência num estádio em Austin com um mini-helicóptero não tripulado, adiantou a Fox New. Em declarações à estação norte-americana, Humphreys fez a pergunta que preocupa muitos responsáveis da área de segurança. “E se for possível deitar abaixo um destes ‘drones’ usados para distribuir encomendas, fazendo dele um míssil? É a mesma forma de pensar que tiveram os autores do 11 de Setembro.”

Os investigadores usaram um aparelho que respondia a um sinal de GPS aberto, não codificado, que normalmente é usado na aviação civil, adiantou à BBC Noel Sharkey, responsável do Comité Internacional para o Controlo de Armas Robotizadas, que adiantou ser fácil piratear um “drone” a partir das técnicas que foram usadas pelos investigadores do Texas.

“Alguém com capacidades técnicas pode fazê-lo, com um custo de cerca de 1000 dólares pelo equipamento”, adiantou Sharkey. “E é muito perigoso, porque se um aparelho estiver a dirigir-se para algum sítio usando o seu GPS, um ‘spoofer’ pode desviá-lo para outro sítio e fazê-lo embater num edifício ou noutro local, ou pode roubá-lo e carregá-lo de explosivos para depois o direccionar para algum alvo.”

Nos próximos 5 a 10 anos, deverão existir no espaço aéreo norte-americano cerca de 30.000 drones, disse Todd Humphreys à Fox News, que alertou às autoridades para que estejam atentas a esta questão de forma a melhorar a segurança associada aos “drones”, porque “cada um deles poderá vir a ser usado como um míssil”.