roubo de dados de 8,7 milhões de utilizadores de telemóveis

Two arrested for hacking personal data of 8.7 million phone users
KT Corp., South Korea's second largest wireless service provider, has
apologized after personal data of 8.7 millions of its mobile phone
subscribers was stolen by hackers. The details are suspected to have
been sold to marketing firms, netting the hackers close to $1 million.


Não sei como é o jogo, mas o nome é engraçado!

Control-Alt-Hack™ is a tabletop card game about white hat hacking (...)

You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical (a.k.a., white hat) hackers who perform security audits and provide consultation services. Their motto? "You Pay Us to Hack You."

Your job is centered around Missions - tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed. Use your Social Engineering and Network Ninja skills to break the Pacific Northwest's power grid, or apply a bit of Hardware Hacking and Software Wizardry to convert your robotic vacuum cleaner into an interactive pet two jobs are the same. So pick up the dice, and get hacking!


Do criador da ModSecurity. "The next-generation open source web application firewall engine, designed to be modular, portable, and efficient, and to give you the tools you need to defend sites from attack."

IronBee versus ModSecurity

After spending a couple of weeks talking about IronBee to anyone willing to listen, I have assembled a list of commonly asked questions. Not unexpectedly, the question that tops the list is about the difference between ModSecurity and IronBee.
With IronBee we had a luxury of starting a brand new project with a wealth of experience and a clear idea of what we want to achieve long-term. (This is completely the opposite from where I was when I started ModSecurity.) Thus, we were able to look at our goals and choose the best path to reach them. Because so much of our lives were spent with ModSecurity, the first thing we did was look at its successes and limitations, with the idea that we should keep what's good and improve what's not as good. Two not so good things of ModSecurity stuck out: the lack of a community of developers and the fact that ModSecurity runs only in the Apache web server.
To deal with that, we do two core things differently:
  • Community focus. We are making IronBee as open as it can be, not only by using a non-viral open source licence (Apache Software License v2), but also by adopting a transparent community-oriented approach to project management and development. We have also designed IronBee to be highly modular, so that adding to it does not have to mean having to understand the entire architecture and operation. Time will tell, but the idea is that giving up tight control will make for a better open source project in the long run.
  • Abstracted data acquisition and host-container interaction model. IronBee is built as a framework from ground up, with focus on portability among web servers and a variety of deployment models (embedded, proxy, passive, batch, etc). Hence the universal application security sensor wording. We want you to have access to IronBee no matter what your platform is. (....)


Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Fim da botnet "Grum"

Grum, World's Third-Largest Botnet, Knocked Down

I am glad to announce that, after three days of effort, the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned. How it all happened is a long story, but I would like to summarize it for you.

The state of the Grum botnet has changed since we last talked (see previous posts here and here for a look back). On July 16, I reported that while CnC servers in Panama and Russia were alive, shutting down the Dutch server had at least made a dent in this botnet. On the morning of July 17, I got the news that the server in Panama was no longer active. The ISP owning this server at last buckled under the pressure applied by the community. It was great news. The shutdown of the Panamanian server meant a lot. I explained in my earlier post that Grum was comprised of two different segments. One was being controlled from Panama and one from Russia.

With the shutdown of the Panamanian server, a complete segment was dead forever. This good news was soon followed by some bad news. After seeing the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine. So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations. I must say, for a moment, I was stunned. The bot herders replaced the two Dutch servers with six new servers located in Ukraine. Ukraine has been a safe haven for bot herders in the past and shutting down any servers there has never been easy.
I immediately shared this new information with three different parties—Carel Van Straten and Thomas Morrison from Spamhaus, Alex Kuzmin from CERT-GIB, and an anonymous researcher who goes by the pseudonym Nova7. After they got all the evidence from my side, they moved quickly passing this intelligence back to their contacts in Ukraine and Russia. As a result of this overnight operation, all six new servers in Ukraine and the original Russian server were dead as of today, July 18, at 11:00 AM PST.

Note: The primary server located in Russia was not taken down by their ISP, GAZINVESTPROEKT LTD.

It was their upstream provider who finally came in and null routed the IP address at our request.
According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well.
Note: We should not take 120,000 IP addresses as the size of the Grum botnet. 120,000 IP addresses constituted only the zombies actively sending spam. In many corporate and ISP environments, outgoing email traffic is blocked by default so a big portion of the Grum botnet never sends any spam, but the bot herders use them for hosting their promotional websites.


Every takedown that I have participated in, such as Srizbi, Rustock 1, Ozdok, and Cutwail 1, has given me a unique experience. So what have I learned from this takedown? When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones. We have proven them wrong this time. Keep on dreaming of a junk-free inbox.

Fim do DNS Changer?

No Público, com um título hiper-creativo:

A Internet não acaba segunda-feira mas 300 mil computadores podem ficar offline 

A próxima segunda-feira foi anunciada em alguns sites e redes sociais como uma tragédia, um apagão mundial. Mas, de acordo com o FBI, serão cerca de 300 mil os computadores em todo o mundo que não terão acesso à Internet no dia 9 de Julho, numa tentativa de acabar com o vírus DNS Changer. Só os computadores infectados com o vírus correm este risco.

O vírus, que foi criado em 2007 por seis estonianos detidos no ano passado, é, segundo o relatório do FBI disponível online, um tipo de malware que controla o computador dos utilizadores, redireccionando-os para sites fraudulentos.

De acordo com Paul Vixie, presidente da empresa Internet Systems Consortium (ISC), que está a apoiar o FBI nesta operação, o DNS Changer chegou a atingir cerca de 650 mil computadores em todo o mundo, estimando-se que o crime tenha rendido 20 milhões de dólares em quatro anos aos seus criadores.

Para acabar de vez com o vírus, as autoridades norte-americanas criaram uma rede de segurança para proteger os utilizadores atingidos. No entanto, esta foi apenas uma solução temporária e a validade da rede expira às 12h do dia 9 de Julho, segunda-feira. Para evitar que os internautas vejam o seu computador impossibilitado de aceder à Internet, o FBI lançou um alerta pedindo que todos os utilizadores confirmem o estado das suas máquinas. Se estiverem infectados e não recorrerem a nenhuma ferramenta para eliminar o vírus, na segunda-feira estes computadores não terão acesso à Internet.

Segundo a revista Time, é possível verificar se um computador está infectado através de um site especialmente criado para o efeito e se o resultado for positivo, basta eliminar o malware. O procedimento está explicado aqui (em inglês).