Tendências para vulnerabilidades em 2014

4 Trends In Vulnerabilities That Will Continue In 2014

Dar Reading, Robert Lemos

1. More pay for researchers

Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest.

(...)

2. Exploiting the guards

Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," says Gorenc.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies who supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer

From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Any time you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack

Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug and play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for awhile because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multi-year tail on those issues," he says.

Segurança de MicroSD Cards

Um post muito interessante sobre o assunto:

On Hacking MicroSD Cards 
bunnie:studios

A conclusão mais interessante é que esses cartões têm um micro-controlador (uma variante de um Intel 8051 ou um ARM) a cerca de 100 MHz e o seu próprio firmware. Ou seja, longe se serem apenas um dispositivo de armazenamento de dados, são um pequeno computador, no qual pode ser introduzido malware etc. etc. etc.

5 ataques importantes de 2013

Lessons From Five Advanced Attacks Of 2013

1. Cryptolocker and the evolution of ransom ware
While many attackers create botnets to steal data or use victim's machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files.
(…)

2. New York Times "hack" and supplier insecurity
The August attack on the New York Times and other media outlets by the Syrian Electronic Army highlighted the vulnerability posed by service providers and technology suppliers.
Rather than directly breach the New York Times' systems, the attackers instead fooled the company's domain registrar to transfer the ownership of the nytimes.com and other media firms' domains to the SEA.
(…)

3. Bit9 and attacks on security providers
In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered "trusted" by Bit9's systems.
(…)

4. DDoS attacks get bigger, more subtle
A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected--in some cases tenuously--to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year.
(…)

5. South Korea and destructive attacks
Companies in both the Middle East and South Korea suffered destructive attacks designed to wipe data from computers. In 2012, Saudi Aramco and other companies in the Middle East were targeted with a malicious attack that erased data from machines, causing them to become unrecoverable.
This year, South Korean firms were attacked in a similar manner in a multi-vector attack whose finale was the deletion of master boot records on infected computers. While such attacks have happened in the past, they seem to be more frequent, says Dell Secureworks' Williams.
"The impact of these attacks have been pretty impressive--30,000 machines needed to be rebuilt in the Saudi Aramco case," he says.

Para além dos SIEMs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.

(...)

Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.

(...)

"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data, it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kind of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

Top 8 security threats of 2013

The top 8 security threats of 2013

a lista:
  1. More Sophisticated DDoS
  2. Attack of the Botnets
  3. Ignored Insider Threats
  4. Insecure Applications
  5. Data Supply Chain Threats
  6. Unauthorized Access by Former Employees
  7. Embedded Systems Vulnerabilities
  8. The Growth of Bitcoin

Boas práticas para desenvolvimento de aplicações para cloud

Acaba de sair um documento sobre o assunto publicado pela Cloud Security Alliance e pelo consórcio SAFEcode: https://cloudsecurityalliance.org/download/safecode-csa-whitepaper/

ENISA Threat Landscape report 2013

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. Questions addressed are: What are the top cyber-threats of 2013? Who are the adversaries? What are the important cyber-threat trends in the digital ecosystem?

Negative trends 2013:
  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: big data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:
  • Some impressive law-enforcement successes ; police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

A table of the top current threats and threat trends lists the following top three threats: 1. Drive-by-downloads, 2. Worms/Trojans and 3. Code injections. For full table.

Hackers atacam o Ministério dos Negócios Estrangeiros

Hackers chineses atacaram Ministério dos Negócios Estrangeiros de Portugal
Público

Um grupo de hackers a operar a partir da China conseguiu entrar no sistema informático dos ministérios dos Negócios Estrangeiros de cinco países diferentes, entre os quais Portugal, de acordo com o relatório de uma empresa americana de segurança informática, que foi noticiado pelo jornal The New York Times.

Além de Portugal, de acordo com o New York Times, os países visados foram a República Checa, Bulgária, Letónia e Hungria. Os ataques, diz o relatório da empresa californiana FireEye, terão começado em 2010 e sido feitos de forma reiterada. Os países não são mencionados no documento mas, pelos endereços de e-mail no site dos hackers, o jornal diz ser possível avançar estes cinco alvos e uma fonte da investigação confirmou-os ao New York Times.

Ao PÚBLICO, o Ministério dos Negócios Estrangeiros afirmou apenas, numa resposta por e-mail, que "sempre adoptou e continua a adoptar todas as medidas de segurança informática para a protecção da sua rede de comunicações, em articulação com as competentes autoridades nacionais nesta matéria".

Os atacantes usaram uma técnica comum para instalar software malicioso nos computadores e que implica uma falha humana: enviaram e-mails com links. Bastava alguém clicar no link para o software se instalar no computador e respectiva rede informática, abrindo portas para que os atacantes pudessem aceder remotamente a ficheiros.

De início, os atacantes enviavam um e-mail a apontar para o que diziam ser fotografias de Carla Bruni, a mulher do antigo Presidente francês Nicolas Sarkozy, nua. Mais tarde, enviaram e-mails que diziam conter informação sobre a actividade militar na Síria.

(...)

A investigação levada a cabo pela FireEye (que recebeu o nome de “Ke3Chang”, expressão encontrada no código-fonte do software malicioso) concluiu que o grupo de hackers tem servidores na China, Hong Kong e EUA. O facto de as pistas apontarem para a China como o território de origem dos ataques e de os alvos serem computadores governamentais levou a empresa a indicar que a operação estará ligada ao Governo chinês. Pequim é frequentemente acusado de ciberespionagem, acusação que já negou várias vezes.

(...)

Notícia completa no site do Público

Notícia no New York Times: China Is Tied to Spying on European Diplomats

Relatório da FireEye: Operation "Ke3chang" (pdf)

Projecto PCAS

Financiado em cerca de 70% pela Comissão Europeia, o projecto Personalized Centralized Authentication System (PCAS) está orçado em 4,5 milhões de euros e reúne um consórcio de institutos de investigação e de empresas, no qual se incluem duas representações portuguesas, a Maxdata Software e o INESC ID.

O objectivo deste projecto de investigação é desenvolver um dispositivo portátil, seguro e inovador num conceito a que foi dado o nome de Secured Personal Device (SPD). Na prática, trata-se de um dispositivo electrónico que permitirá a qualquer pessoa armazenar com segurança os seus dados e partilhá-los com aplicações confiáveis. O SPD funcionará como um add-on para smartphones que extrai a energia do dispositivo e usa os seus serviços de comunicação, por exemplo, dados móveis, Wi-Fi e Bluetooth.

O SPD terá a capacidade de reconhecer o seu proprietário através de múltiplos sensores biométricos, designadamente através de impressões digitais, do reconhecimento facial, da íris e de voz, incluindo também um sensor de stress que permite detectar qualquer tipo de coerção. Ao utilizar o mesmo sistema de autenticação biométrica, o SPD poderá comunicar de forma segura com servidores na cloud, tornando desnecessária a memorização e o uso de palavras-passe.

(...)

notícia completa no site da Semana Informática

Red October

At CloudFlare, we are always looking for better ways to secure the data we’re entrusted with. This means hardening our system against outside threats such as hackers, but it also means protecting against insider threats. According to a recent Verizon report, insider threats account for around 14% of data breaches in 2013. While we perform background checks and carefully screen team members, we also implement technical barriers to protect the data with which we are entrusted.

One good information security practice is known as the “two-man rule.” It comes from military history, where a nuclear missile couldn’t be launched unless two people agreed and turned their launch keys simultaneously. This requirement was introduced in order to prevent one individual from accidentally (or intentionally) starting World War III.

To prevent the risk of rogue employees misusing sensitive data we built a service in Go to enforce the two-person rule. We call the service Red October after the famous scene from “The Hunt for Red October.” In line with our philosophy on security software, we are open sourcing the technology so you can use it in your own organization (here’s a link to the public Github repo). If you are interested in the nitty-gritty details, read on.

Red October is a cryptographically-secure implementation of the two-person rule to protect sensitive data. From a technical perspective, Red October is a software-based encryption and decryption server. The server can be used to encrypt a payload in such a way that no one individual can decrypt it. The encryption of the payload is cryptographically tied to the credentials of the authorized users.

Authorized persons can delegate their credentials to the server for a period of time. The server can decrypt any previously-encrypted payloads as long as the appropriate number of people have delegated their credentials to the server.

Top Ten Web Hacking Techniques of 2012

Um bocado tarde mas aqui fica:

Top Ten Web Hacking Techniques of 2012

Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year: 2006 (65), 2007(83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)

The Top Ten
  1. CRIME (1, 2, 3 4) by Juliano Rizzo and Thai Duong
  2. Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3, 4, 5)
  3. Chrome addon hacking (2, 3, 4, 5)
  4. Bruteforce of PHPSESSID
  5. Blended Threats and JavaScript
  6. Cross-Site Port Attacks
  7. Permanent backdooring of HTML5 client-side application
  8. CAPTCHA Re-Riding Attack
  9. XSS: Gaining access to HttpOnly Cookie in 2012
  10. Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
Depois ainda há menções honrosas etc. Ver post original.

"Safe"-Stop

Não se percebe bem para quem é que é "safe"...

Polícia inglesa mostra como parar um carro com radiofrequências

O método ainda está em fase de testes, mas as polícias britânicas já mostraram o seu interesse, principalmente para poderem parar motas com sucesso. Até agora, as únicas formas de conseguir travar a marcha de veículos passam por furar os pneus, nomeadamente com correias de espigões. Esta técnica envolve sempre algum risco de ferimentos quer no condutor e passageiros, quer em transeuntes.

Na demonstração da RF Safe-Stop, em Worcestershire, a E2V conseguiu parar vários carros só com recurso a um pequeno emissor de RF. Os veículos circulavam a cerca de 25 km/h. Assim que o veículo se aproximava do “radar”, o painel de luzes de aviso começava a piscar erraticamente e o carro acabava por se desligar.

Segundo a revista Engineer, citada pela BBC, o dispositivo funciona nas bandas S- e L- e tem um alcance de 50 metros.

Os críticos deste método explicam que o ataque com radiofrequência pode não funcionar em pleno, porque nos carros modernos pode influenciar também o sistema eletrónico dos travões. Há ainda que considerar que os carros antigos não usam praticamente sistemas eletrónicos, pelo que não podem ser travados com este método. Por fim, os cépticos duvidam que o método consiga parar em tempo útil um veículo que esteja a circular a uma velocidade “normal”.

Fonte: Exame Informática online

Artigo na revista The Enginneer

Sítios perigosos para usar o cartão de débito

o mais surpreendente é a bomba de gasolina:

Documentos Snowden

"As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.

None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers."

Nova tarefa para botnets...

Nova tarefa para botnets: minerar bitcoins!

Atrax: Cybercrime Kit Capable of Stealing Data, Launching DDOS, Mining for Bitcoins
news.softpedia.com

Security researchers have come across a new cybercriminal kit that’s currently being advertised on underground forums. The kit is called Atrax and its main platform costs only $250 (€184).

Stuxnet e como matar uma centrifugadora

novidades interessantes sobre o Stuxnet:

Stuxnet's Earlier Version Much More Powerful And Dangerous, New Analysis FindsDarkReading

The later-discovered earlier iteration of Stuxnet was a far more aggressive, stealthy, and sophisticated attack that could have ultimately caused catastrophic physical damage in Iran's Natanz facility. So says the expert who deciphered how Stuxnet targeted the Siemens PLCs, after recently reverse-engineering the code and further studying the attacks.

Ralph Langner, head of The Langner Group and a renowned ICS/SCADA expert, today published an analysis of Stuxnet that shines new light on the game-changing cyberweapon. Langner concludes, among other things, that the attackers moved from a more destructive and stealthy payload to a weaker and more easily detected one, and conventional wisdom that it would take a nation-state to use Stuxnet as a blueprint for attacks against U.S. and its allies' critical infrastructure is incorrect.

One big takeaway from Langner's new analysis is how the Stuxnet attackers so dramatically shifted gears from a dangerous, aggressive, and hidden attack strategy that wasn't discovered for at least five years to a louder, more noticeable, and detectable one that burnt multiple zero-day vulnerabilities and used stolen digital certificates. "What you see today in that analysis is that the first attack was more complex, stealthy, and more aggressive than the second. That is counterintuitive," Langer told Dark Reading. "So why did the attackers go from the ultimate in stealth and aggression to something that's much more simple and comes with a much higher risk of detection?"

(...)

Langner's full and detailed report, "To Kill A Centrifuge," which includes analysis of photos from inside the Natanz plant floor, is available here (PDF) for download.

Microsoft deixa SHA-1 em 2016

Microsoft is recommending that customers and CA’s stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016.

Background

Secure Hashing Algorithm 1 (SHA-1) is a message digest algorithm published in 1995 as part of NIST’s Secure Hash Standard. A hashing algorithm is considered secure only if it produces unique output for any given input and that output cannot be reversed (the function only works one-way).

Since 2005 there have been known collision attacks (where multiple inputs can produce the same output), meaning that SHA-1 no longer meets the security standards for a producing a cryptographically secure message digest.

For attacks against hashing algorithms, we have seen a pattern of attacks leading up to major real-world impacts:

Short history of MD5 Attacks
Source: Marc Stevens, Cryptanalysis of MD5 and SHA-1
  • 1992: MD5 published
  • 1993: Pseudo-collision attack
  • 2004: Identical-prefix collision found in 2^40 calls
  • 2006: chosen-prefix collision found in 2^49 calls
  • 2009: identical-prefix and chosen prefix optimized to 2^16 and 2^39 calls respectively, Rouge CA practical attacks implemented

It appears that SHA-1 is on a similar trajectory:
  • 1995: SHA-1 published
  • 2005: SHA-1 collision attack published in 2^69 calls
  • 2005: NIST recommendation for movement away from SHA-1
  • 2012: Identical-prefix collision 2^61 calls presented
  • 2012: Chosen-prefix collision 2^77.1 calls presented
(...)


texto completo: Security Advisory 2880823: Recommendation to discontinue use of SHA-1

Sites com desafios de hacking

7 Sites With Hacking Challenges! 

fonte: EFYtimes.com


1. OverTheWire: The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. They have lots hacking challenges which include analyze the code, simple tcp communication application, crypto cracking etc.

2. We Chall: Similar to Over The Wire, We Chall also carries lots of challenges together with a large list of other sites with similar challenges.

3. Smash The Stack: The SmashtheStack Wargaming Network hosts several Wargames. The goal is to get from the first level to the last level. Along the way you should pickup or refine any techniques that were required to defeat the level. The levels for each game are structured progressively. You start at the first level. Once you have completed the first level you will have the credentials to view the password for the next level.

4. Wixxerd: Wixxerd is a cool website with some really cool hacking challenges and games on cryptography, programming, math puzzles, enumeration, steganography, forensics and what not.

5. Hellbound Hackers: It offers challenges that teach you how computer based exploits work.

6. Badstore: Badstore.net is dedicated to help you understand how hackers prey on Web application vulnerabilities, and to show you how to reduce your exposure. The software is designed to show you common hacking techniques.

7. exploit-exercises: exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

Atithya Amaresh, EFYTIMES News Network

DDoS com browsers

Um artigo interessante sobre ataques DDoS usando bots que correm em browsers no site da Incapsula. Refere um ataque do género que durou 150 horas e foi realizado por mais de 180 mil endereços IP espalhados por todo o mundo, como se pode ver no mapa abaixo:


Português segunda língua mais usada em malware

Não é bonito mas é uma oportunidade para quem quiser investigar malware:

Português é a segunda língua mais usada em malware
Exame Informática

O fundador da Kaspersky Labs deu uma conferência na Austrália, onde revelou algumas curiosidades relacionadas com segurança informática e partilhou algumas estatísticas.


Ataque com pens usb

giro:

Como a Rússia usou pens USB para distribuir malware pelos delegados do G20
fonte: Exame Informática

É um clássico de qualquer evento ou conferência: o anfitrião entrega uma pasta com documentos, agendas, lembranças e até pens USB que ajudam a trabalhar toda a informação no computador. No caso da reunião do G20, que teve lugar em São Petersburgo, o anfitrião russo juntou ainda mais um brinde para distribuir pelos delegados: três carregadores de telemóveis.

Poderia ser apenas uma típica pasta de trabalho de mais uma grande cimeira, mas o Corriere Della Sera garante que uma parte importante dos brindes disponibilizados pelo governo russo só viria a ser conhecida depois do evento terminar: as pens USB e os três carregadores de telemóveis estavam “artilhados” com códigos maliciosos, que aparentemente, teriam por principal objetivo infetar os computadores dos representantes das 19 maiores economias do mundo e da UE.

notícia completa no site da Exame Informática

ferros de engomar e chaleiras espiões

notícia nas Hacker News: "a China está a colocar microchips espiões em ferros eléctricos e chaleiras capazes de procurar redes wi-fi abertas e introduzir malware"

Building Security In Maturity Model

"Cigital is proud to announce BSIMM-V, the fifth major release of the Building Security In Maturity Model (BSIMM). It is the industry's first and only software security measurement tool built on real-world data, and helps organizations understand, measure, and plan their software security initiatives.

Unlike software security methodologies based unproven theories and hunches, BSIMM-V is built on data directly observed in the field. BSIMM-V encompasses 18 times the measurement data of the original study and reports on 1 new activity, bringing the total activity count to 112."

Zeus ataca mascarado de Dropbox

A new campaign just started up involving some fake dropbox password reset emails. The emails come in with a sad computer face claiming the recipient has requested a password reset and their old password is now "dangerous".

notícia completa no blog da AppRiver

Muscular: NSA espia Google e Yahoo

do Público online hoje:

Espionagem em larga escala no Google pode ser um tiro no pé da NSA
ALEXANDRE MARTINS E JOÃO PEDRO PEREIRA 01/11/2013 - 00:00


A revelação de que a Agência de Segurança Nacional (NSA) norte-americana recolhe dados de utilizadores do Google e do Yahoo sem o conhecimento das empresas está a enfurecer o sector tecnológico do país e a causar estupefacção em alguns sectores dos serviços secretos.

"Não permitimos a nenhum governo, incluindo ao dos EUA, o acesso aos nossos sistemas. Estamos indignados com os limites a que o Governo [dos EUA] parece ter chegado para interceptar dados das nossas redes privadas, e isso reforça a urgência de se proceder a uma reforma", declarou o responsável pelo departamento legal do Google. David Drummond reagia a uma notícia do jornal The Washington Post, feita a partir dos documentos obtidos pelo analista informático Edward Snowden, segundo a qual a NSA se apodera dos dados dos utilizadores do Google e do Yahoo no momento em que estão descodificados.

De acordo com um documento datado de 9 Janeiro de 2013, nos 30 dias anteriores foram recolhidos e enviados para a sede da NSA, no estado do Maryland, mais de 180 mil milhões de novos dados relativos a comunicações de utilizadores comuns.

Esta recolha de dados é uma actividade separada do programa Prism, revelado no início de Junho, que implicava a colaboração das empresas de tecnologia envolvidas - neste caso, gigantes como o Google, Yahoo, Microsoft, Facebook ou Apple forneciam à NSA os dados que a agência requisitava, mediante autorizações judiciais do tribunal que supervisiona a actividade dos serviços norte-americanos, o Foreign Intelligence Surveillance Court.

Este projecto separado, revelado agora pelo The Washington Post, tem o nome de código Muscular e é mantido juntamente com o Government Communications Headquarters, o equivalente britânico à NSA norte-americana. As duas agências interceptam a informação quando esta circula nos cabos de fibra óptica que ligam os vários centros de dados de ambas as empresas, onde é armazenado todo o tipo de informação dos utilizadores.

A intrusão foi feita fora dos EUA, já que dentro daquele país a acção da NSA seria considerada ilegal, devido às restrições impostas à recolha de informações privadas de cidadãos norte-americanos.

Para além da escala da recolha de dados, que é ainda maior do que se pensava, através do projecto Muscular a NSA regista não apenas metadados (identificação dos remetentes e destinatários, datas da troca de e-mails ou duração de uma chamada telefónica), mas também o conteúdo, como texto, áudio e vídeos.

A informação publicada pelo jornal mostra um slide com um desenho simplificado (ver foto mais pequena nesta página), que ilustra a articulação entre os serviços que o Google disponibiliza aos utilizadores e a "nuvem" de servidores onde a informação é armazenada e na qual, de acordo com o desenho, os dados circulam de forma não codificada. É aqui que a NSA se apodera de toda a informação possível. Neste momento do processo de transmissão de dados entre servidores, o objectivo é garantir que a informação partilhada pelos utilizadores nunca se perde e que o acesso aos serviços do Google e do Yahoo é sempre rápido.

"Uma situação impossível"

O acesso quase em tempo real aos dados dos milhões de utilizadores de dois gigantes tecnológicos pode estar a criar "uma situação impossível" para o sector, disse ontem o membro da Câmara dos Representantes Adam Schiff, do Partido Democrata. Citado pela revista Foreign Policy, Schiff - também membro da Comissão de Serviços Secretos - afirma que a violação de privacidade em larga escala pela NSA "vai sem dúvida prejudicar o negócio" de empresas como o Google e o Yahoo.

Do ponto de vista comercial, a principal preocupação é a fuga de utilizadores para empresas que tenham os seus servidores localizados fora do território dos EUA, embora o mundo há muito tenha deixado de poder ser dividido entre o que é nacional ou estrangeiro, quando se fala em troca de comunicações através da Internet.

Apesar de tudo, o problema para as empresas é bem real: de acordo com um relatório publicado em Agosto pelo think tank sem fins lucrativos Information Technology and Innovation Foundation, o escândalo de espionagem da NSA pode custar ao sector 35 mil milhões de dólares (mais de 25 mil milhões de euros) até 2016.

A violação de privacidade de cidadãos em larga escala preocupa também ex-responsáveis dos serviços secretos norte-americanos, que temem perder a colaboração das empresas. "Por que raio queremos queimar uma relação com o Google ao entrar sem autorização num centro de dados", questiona-se um antigo analista citado pela Foreign Policy.

Numa primeira reacção à notícia do The Washington Post, o director da NSA, o general Keith Alexander, disse apenas que não tinha conhecimento da existência dos documentos. Questionado sobre se a NSA tinha acesso directo aos centros de dados do Google e do Yahoo, a resposta foi cuidadosa: "Que eu tenha conhecimento, isso nunca aconteceu."

O The Washington Post especulava ontem sobre uma das razões que terá levado a NSA a recolher dados sem o conhecimento das empresas: se as empresas não souberem, as preocupações com a privacidade dos utilizadores deixam de ser um problema. A mesma ideia foi verbalizada pelo presidente da Comissão de Serviços Secretos da Câmara dos Representantes, Mike Rogers, do Partido Republicano. Na audição sobre as actividades da NSA, na terça-feira, o também responsável pela supervisão dos serviços secretos dos EUA, deixou escapar uma frase polémica, numa troca de palavras com o professor de Direito Stephen Vladeck, da American University de Washington: "Não se pode violar a privacidade de alguém, se essa pessoa não souber que a sua privacidade está a ser violada."





Crimepacks vs vulnerabilidades

Uma apresentação muito interessante sobre as vulnerabilidades exploradas pelos principais crimepacks, comparando esses resultados com os de 2011:
  • How do we use intel to mitigate a threat?
  • What are optimal defenses for mass malware?
  • How do crimepacks acquire exploits?
  • Is security research being applied by crimepack authors?


Vídeo:

Vídeos de vírus em acção

da Wired:

Back in 2004, a computer worm called Sasser swept across the web, infecting an estimated quarter million PCs. One of them belonged to Daniel White, then 16 years old. In the course of figuring out how to purge the worm from his system, the teenager came across the website of anti-virus company F-Secure, which hosted a vast field guide of malware dating back to the 1980s, complete with explanations, technical write-ups, and even screenshots for scores of antiquated viruses. He found it intoxicating. “I just read all I could,” he says, “and when I’d read all of that I found more sources to read.” He’d caught the computer virus bug.

Nine years and a handful of data loss scares later, White has amassed perhaps the most comprehensive archive of malware-in-action found anywhere on the web. His YouTube channel, which he started in 2008, includes more than 450 videos, each dedicated to documenting the effect of some old, outdated virus. The contents span decades, stretching from the dawn of personal computing to the heyday of Windows in the late ’90s. It’s a fascinating cross-section of the virus world, from benign programs that trigger goofy, harmless pop-ups to malicious, hell-raising bits of code. Happening across one of White’s clips for a virus you’ve done battle with back in the day can be a surprisingly nostalgic experience.

artigo completo na Wired

o canal do YouTube com filmes de vírus em acção


Apple iMessage

Investigadores afirmam que a Apple pode interceptar a comunicação do serviço iMessage, apesar de terem afirmado o contrário. A razão é a falta de certificate pinning.

What we are not saying: Apple reads your iMessages.

What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order.

As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages.

Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.

Now, you can read the article or jump to end of the article where we summarized it.

artigo

slides da apresentação

Backdoor em routers D-Link

Giro pois apresentam os detalhes de como encontraram a backdoor:

Reverse Engineering a D-Link Backdoor


(com agradecimentos ao Duarte Barbosa)

CryptoLocker ramsomware

O preço subiu. Costumava cobrar 100 dólares para decifrar os ficheiros, agora cobra 300...

notícia completa em Hacker News


device fingerprinting

Top sites (and maybe the NSA) track users with “device fingerprinting”

Close to 1.5 percent of the Internet's top websites track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option, according to an academic research paper that raises new questions and concerns about online privacy.

The research, by a team of scientists in Europe, is among the first to expose the real-world practice of "device fingerprinting," a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor's computer or smartphone to create a profile that is often unique to that machine. The researchers scanned select pages of the top 10,000 websites as ranked by Alexa and found that 145 of them deployed code based on Adobe's Flash Player that fingerprinted users surreptitiously. When they expanded their survey to the top one million sites, they found 404 that used JavaScript-based fingerprinting. The researchers said the figures should be taken as the lower bounds since their crawlers weren't able to access pages behind CAPTHCAs and other types of Web forms. Mainstream awareness of fingerprinting first surfaced three years ago following the release of research from the Electronic Frontier Foundation.

Device fingerprinting serves many legitimate purposes, including mitigating the impact of denial-of-service attacks, preventing fraud, protecting against account hijacking, and curbing content scraping, bots, and other automated nuisances. But fingerprinting also has a darker side. For one, few websites that include fingerprinting code in their pages disclose the practice in their terms of service. For another, marketing companies advertise their ability to use fingerprinting to identify user behavior across websites and devices. That suggests device fingerprinting may be used much the way tracking cookies are used to follow people as they browse from site to site, even though fingerprinting isn't covered by most laws governing cookies and websites' Do Not Track policies. And unlike user profiling that relies on "stateful" browser cookies that are usually easy to delete from hard drives, most end users have no idea that their computers are being fingerprinted, and they have few recourses to prevent the practice.

"Device fingerprinting raises serious privacy concerns for everyday users," the researchers wrote in a recently published paper. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt-out. Moreover, fingerprinting works just as well in the 'private-mode' of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations."

More troubling, device fingerprinting may have given the National Security Agency and its counterparts around the world an avenue to identify people using the Tor privacy service. As disclosed in an installment of previously secret NSA documents published last week by The Guardian, the spy agency is capable of injecting script redirections into the traffic of Tor users. Slide 16 of an NSA presentation titled Tor Stinks included the excerpt: "Goal: ... Ignore user-agents from Torbutton or Improve browser fingerprinting? Using javascript instead of Flash?"

The Firefox browser that ships with the Tor Browser Bundle has long attempted to prevent fingerprinting by limiting the customizable properties that are available to users. It also placed a cap on the number of fonts a webpage can request or load. The fingerprinting researchers found a way to bypass the font cap by making use of the Web programming property known as CSS font face. The researchers reported their findings to Tor developers, who have since patched the weaknesses.

Google paga descoberta de vulnerabilidades

... em software open source

The new experimental program offers rewards from $500 to $3,133.70 for coming up with security improvements to key open-source software projects. It is geared to complement Google's bug bounty program for Google Web applications and Chrome.

Google's program initially will encompass network services OpenSSH, BIND, ISC DHCP; image parsers libjpeg, libjpeg-turbo, libpng, giflib; Chromium and Blink in Chrome; libraries for OpenSSh and zlib; and Linux kernel components, including KVM. Google plans to next include Web servers Apache httpd, lighttpd, ngix; SMTP services Sendmail, Postfix, Exim; and GCC, binutils, and llvm; and OpenVPN.

Dark Reading

Espionagem com cookies?

How the NSA might use Hotmail, Yahoo or other cookies to identify Tor users
ArsTechnica

One of the more intriguing revelations in the most recent leak of NSA documents is the prospect that the spy agency is using browser cookies from Yahoo, Hotmail or the Google-owned DoubleClick ad network to decloak users of the Tor anonymity service.

One slide from a June 2012 presentation titled "Tor Stinks" carried the heading "Analytics: Cookie Leakage" followed by the words "DoubleclickID seen on Tor and nonTor IPs." The somewhat cryptic slide led to rampant speculation on Twitter and elsewhere that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), are able to bypass Tor protections by somehow manipulating the cookies Google uses to track people who have viewed DoubleClick ads. Principal volunteers with the Tor Project believe such a scenario is "plausible," but only in limited cases. Before explaining why, it helps to discuss how such an attack might work.

As documented elsewhere in the "Tor Stinks" presentation, the spy agencies sometimes use secret servers that are located on the Internet backbone to redirect some targets to another set of secret servers that impersonate the websites the targets intended to visit. Given their privileged location, the secret backbone nodes, dubbed "Quantum," are able to respond to the requests faster than the intended server, allowing them to win a "race condition." Government spies can't track cookies within the Tor network, because traffic is encrypted during its circuitous route through three different relays. But if the spies can watch the Internet backbone, they may be able to grab or manipulate cookies once the data exits Tor and heads toward its final destination.

A slide later in the deck refers to something called "QUANTUMCOOKIE," which purportedly "forces clients to divulge stored cookies." There are multiple ways to interpret such a vague bullet point. One of the more plausible is that the Quantum backbone servers can be used to serve cookies not just from DoubleClick or Google, but from Yahoo, Hotmail, or any other widely used Internet service.

preso autor de ataque DDoS gigante contra a Spamhaus

A British police investigation into the massive DDoS attack against internet watchdog Spamhaus has led to the arrest of a 16-year-old London schoolboy who, it is claimed, is part of an international gang of cyber-crooks.

"The suspect was found with his computer systems open and logged on to various virtual systems and forums," says the police document shown to the London Evening Standard. "The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies."

The young miscreant was arrested in April at the same time as a 35 year-old Dutchman (thought to be Sven Kamphuis – the owner of hosting firm Cyberbunker) as part of an investigation into the Spamhaus attack by British police dubbed Operation Rashlike. The arrest was kept secret, and the boy has been released on bail pend a trial later in the year.

The police document states that the Spamhaus attack in March was the "largest DDoS attack ever seen," and claims the performance of the London Internet Exchange was hard hit. The attack caused "worldwide disruption of the functionality" of the internet, it states.

Certainly the attack was a biggie. On March 18, Spamhaus and its networking partner CloudFlare started getting DDoSed at around 90Gbps. When that failed to take the site offline, the attackers went upstream to ISPs and internet exchanges in Amsterdam and London (even El Reg's own Trevor Potts inadvertently took part), and by March 22 over 300Gbps was hitting the Spamhaus servers.

Maiores ciber-ameaças segundo a ENISA

ENISA today presented its list of top cyber threats, as a first “taste” of its interim Threat Landscape 2013 report. The study analyses 50 reports, and identifies an increase in threats to: infrastructure through targeted attacks; mobile devices; and social media identity thefts carried out by cyber-criminals over Cloud services.
   
Some key trends identified in the study are:

  • Cyber-criminals increasingly using advanced methods to implement attack techniques (vectors) that are non-traceable and difficult to take down. Anonymisation technologies and peer-to peer systems (so called distributed technologies) play an important role in this.  It is clear that mobile technology is increasingly exploited by cyber-criminals. Threats of all kinds that were encountered in the more traditional arena of IT will affect mobile devices and the services available on these platforms.
  • The wide spread of mobile devices leads to an amplification of abuse based on knowledge/attack methods targeting social media.
  • The availability of malware and cyber-hacking tools and services, together with digital currencies (e.g. Bitcoins) and anonymous payment services is opening up new avenues for cyber-fraud and criminal activity.
  • There is a real possibility of large impact events when attacks combining various threats are successfully launched.
  • As reported by ENISA in its report on major cyber attacks (2013/07/20), cyber-attack is the sixth most important cause of outages in telecommunication infrastructures, and it impacts upon a considerable number of users. Taking into account these incidents, and denial of service threat developments, we observe an increase in infrastructure threats in 2013.


The study identifies the following top threats with major impact since 2012.

  • Drive-by-exploits: browser-based attacks still remain the most reported threats, and Java remains the most exploited software for this kind of threat.
  • Code Injection: attacks are notably popular against web site Content Management Systems (CMSs). Due to their wide use, popular CMSs constitute a considerable attack surface that has drawn the attention of cyber-criminals. Cloud service provider networks are increasingly used to host tools for automated attacks.
  • Botnets, Denial of Services, Rogueware/Scareware, Targeted Attack, Identity Theft and Search Engine Poisoning are the other trending threats.

A full ENISA Threat Landscape 2013 report is due by the end of the year.
(...)

For full report; ENISA Threat Landscape mid year 2013

mais hackers sob contrato...

... mas desta vez do outro lado da lei (ou não).

Meet Hacking Team, the company that helps the police hack you
The Verge

In 2001, a pair of Italian programmers wrote a program called Ettercap, a "comprehensive suite for man-in-the-middle attacks" — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone’s computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it "sort of the Swiss army knife" of this type of hacking.

Ettercap was so powerful that its authors, ALoR and NaGA, eventually got a call from the Milan police department. But the cops didn’t want to bust the programmers for enabling hacker attacks. They wanted to use Ettercap to spy on citizens. Specifically, they wanted ALoR and NaGA to write a Windows driver that would enable them to listen in to a target’s Skype calls.

That’s how a small tech security consultancy ended up transforming into one of the first sellers of commercial hacking software to the police. ALoR’s real name is Alberto Ornaghi and NaGA is Marco Valleri. Their Milan-based company, Hacking Team, now has 40 employees and sells commercial hacking software to law enforcement in "several dozen countries" on "six continents."

notícia completa em The Verge

Hidden Lynx: hackers sob contrato


A hacking team with unusual skill and persistence has penetrated more than 100 organizations around the world, including US defense contractors, investment banks, and security companies whose sole purpose is to defend against such attacks, according to a detailed report.

One of the best known exploits of the so-called Hidden Lynx group was the devastating compromise of security firm Bit9 in 2012. The Waltham, Massachusetts, company provides an "application whitelisting" service that allows customers to run only a small set of approved software on their PCs and networks. By hacking into the company's servers and stealing the private cryptographic keys Bit9 used to digitally sign legitimate apps, the intruders were able to infect more valuable targets inside military contracting firms who used the service.

Notícia na ArsTechnica

Relatório da Symantec

Quem escreve o Linux

Google and Samsung soar into list of top 10 Linux contributors
And Microsoft's days of major Linux contributions have come to a halt.
ArsTechnica

mais empresas do que o mítico voluntário:



FBI recorre a malware

O FBI usou malware para descobrir a identificação de utilizadores de uma loja da rede Tor chamada Freedom Hosting (que, como é fácil imaginar, não vendia propriamente produtos legais). O ataque é um típico drive-by download: quando alguém acedia à dita loja, via uma página que continha um script escrito em Javascript que explorava uma vulnerabilidade na versão do Firefox usada na rede Tor.

Um excerto do script está na figura.

Artigo completo na Wired: FBI Admits It Controlled Tor Servers Behind Mass Malware Attack

Hackers tremam se faltar a electricidade

Do Público de hoje (o sublinhado é nosso):

A partir do quarto, jovem argentino desviava mais de 37 mil euros por mês

Um argentino de 19 anos foi detido por suspeita de liderar um esquema de fraude informática através da qual desviava mensalmente cerca de 50 mil dólares por mês (37.600 euros). O jovem, que já foi apelidado pela polícia argentina de “superhacker”, era investigado há mais de um ano.

Os alvos preferidos do hacker eram empresas do país especializadas em jogos e transferências de dinheiro online, indica o jornal argentino Clarín. A polícia investiga agora se empresas fora da Argentina sofreram também desvios e se o jovem tinha como cúmplices o irmão menor e os próprios pais.

O diário avança ainda que a polícia federal investigava o agora detido há mais de um ano, depois de uma denúncia de uma empresa de hosting. A empresa alegava que tinha havido interferências nas ordens de pagamento dos seus clientes e que algum do dinheiro nunca chegava ao destino.

Na última sexta-feira, dia da detenção, a polícia ordenou que fosse cortado o abastecimento de electricidade na zona da residência do suspeito em San Cristóbal, um bairro em Buenos Aires, para impedir que este destruísse provas que pudessem levar à sua acusação.

Nas buscas realizadas à casa do suspeito a polícia apreendeu vários computadores no quarto do suspeito, bem como routers e mais de 14 discos rígidos. “Acreditamos que ele e o seu irmão montaram um negócio tão lucrativo que os seus pais optaram por não perguntar o que estavam a fazer”, confidenciou ao diário um dos investigadores envolvidos no processo.

A polícia suspeita que o dinheiro desviado era depositado numa conta em Rosario, a cerca de 300 quilómetros da capital argentina. Através de ataques malware (vírus informáticos), o jovem criou uma rede de computadores que desviava dinheiro de contas de terceiros, sem deixar qualquer rasto da operação.

O jovem está agora acusado de três crimes e se for condenado poderá ter que cumprir uma pena de prisão de mais de dez anos.

NSA e criptografia na internet

Um excelente artigo sobre o tema: On the NSA, Matthew Green, Johns Hopkins University

Um par de excertos:

The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:

  • Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
  • Influencing standards committees to weaken protocols.
  • Working with hardware and software vendors to weaken encryption and random number generators.
  • Attacking the encryption used by 'the next generation of 4G phones'.
  • Obtaining cleartext access to 'a major internet peer-to-peer voice and text communications system' (Skype?)
  • Identifying and cracking vulnerable keys.
  • Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
  • And worst of all (to me): somehow decrypting SSL connections.
(...)


there are basically three ways to break a cryptographic system. In no particular order, they are:
  • Attack the cryptography. This is difficult and unlikely to work against the standard algorithms we use (though there are exceptions like RC4.) However there are many complex protocols in cryptography, and sometimes they are vulnerable.
  • Go after the implementation. Cryptography is almost always implemented in software -- and software is a disaster. Hardware isn't that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors.
  • Access the human side. Why hack someone's computer if you can get them to give you the key?

Várias cifras quebradas pela NSA?

Report: NSA defeats many encryption efforts

The agency has been working since 2000 to circumvent encryption through a variety of methods, a news report says

By Grant Gross
September 05, 2013 — IDG News Service — The U.S. National Security Agency has been circumventing many online encryption efforts through a combination of supercomputers, back doors built into technology products, court orders and other efforts, according to a new report from The New York Times and ProPublica.

The NSA has cracked much of the encryption that protects global commerce, banking, trade secrets and medical records, according to the report, which cites documents leaked by former NSA contractor Edward Snowden. The NSA has invested billions of dollars in efforts to defeat encryption since 2000, according to the report.

In addition to deploying supercomputers to crack encryption, the NSA has worked with U.S. and foreign technology companies to build entry points into their products, the report said. The agency spends more than US$250 million a year on its Sigint Enabling Project, which engages the IT industry in an effort to get companies to make their commercial products "exploitable," the report said, citing documents from Snowden.

The report did not name companies that have cooperated with the NSA.

Representatives of the NSA and the U.S. Office of Director of National Intelligence didn't immediately respond to a request for comments on the news report.

In addition, British intelligence agency GCHQ, likely working with the NSA, has been attempting to hack into the protected traffic at Google, Yahoo, Facebook and Microsoft's Hotmail, the report said. GCHQ had developed "new access opportunities" into Google's system, according to a document from Snowden.

The NSA has also been working for years to weaken international encryption standards, the report said. NSA memos appear to confirm that the agency planted vulnerabilities in an encryption standard adopted in 2006 by the U.S. National Institute of Standards and Technology, the report said.

The NSA sees the ability to decrypt information a vital capacity, and the U.S. competes with China, Russia and other countries in that area, according to the documents referenced in the report.


Wi-Fi is watching you

Dois trabalhos apresentados na conferência ACM SIGCOMM 2013 (uma das conferências de topo de redes) mostram como usar Wi-Fi para obter informação sobre localização e movimento de pessoas. A informação é obtida através da perturbação que as pessoas introduzem no sinal de Wi-Fi, por isso não exige que as potenciais vítimas transportem qualquer tipo de dispositivo vulnerável.

* See Through Walls with Wi-Fi! (artigo completo)

* Whole-Home Gesture Recognition Using Wireless Signals (demonstração)

Espiados pelos caixotes de lixo

"Renew, the London-based marketing firm behind the smart trash cans, bills the Wi-Fi tracking as being "like Internet cookies in the real world" (see the promotional video below). In a press release, it boasts of the data-collection prowess of the cans' embedded Renew "ORB" technology, which captures the unique media access control (MAC) address of smartphones that belong to passersby. During a one-week period in June, just 12 cans, or about 10 percent of the company's fleet, tracked more than 4 million devices and allowed company marketers to map the "footfall" of their owners within a 4-minute walking distance to various stores."

Um (hilariante) vídeo promocional da tecnologia:






Notícia completa na ArsTechica.

XKeyscore - um motor de busca para serviços secretos

XKeyscore: NSA tool collects 'nearly everything a user does on the internet'
Guardian

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.

The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.

The files shed light on one of Snowden's most controversial statements, made in his first video interview published by the Guardian on June 10.

"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".

US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden's assertion: "He's lying. It's impossible for him to do what he was saying he could do."

But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.

(...)

Notícia completa no Guardian

Apresentação sobre o XKeyscore

Política de segurança para dispositivos móveis

Five things to consider for a mobile security policy
Mobile is the new endpoint in IT. But organizations are still struggling with mobile security. Aaron Rhodes of Neohapsis lists five steps to take when developing a corporate mobile security policy
Fonte: CSO

Os 5 passos:
  1. set a strategy
  2. plan well
  3. establish policy
  4. train
  5. comply

"some of the more common line items in such policies";
  • Mobile devices must be password protected
  • Mobile devices must use device encryption before accessing corporate e-mail
  • Mobile devices may not be "rooted" or "jailbroken"
  • Mobile devices must be managed by the corporate IT department using the corporate approved MDM system

Wiretapping na prática

When the feds come knocking: The tale of a Utah ISP, a secret court order, and a little black box

Over the course of the last month and a half, the world has begun to find out more about this shadowy court, the Foreign Intelligence Surveillance Court (FISC), which was set up in 1978 under its namesake law, the Foreign Intelligence Surveillance Act (FISA). (...)

Former National Security Agency (NSA) contractor turned whistleblower Edward Snowden's leaks brought to light some details, albeit not many, relating to these secretive warrants and orders handed down by the court.

But little did we know of logistics; specifically, how they are handed to companies that hold data on terrorism suspects and foreign spies who are living and working in the United States. (...)

XMission is one of Utah's largest, and one of few independent, Internet providers in the state. Pete Ashdown, the company's chief executive, spoke to BuzzFeed on Friday about how he received a warrant under FISA in 2010. (...)

For nine months, XMission was forced to install a "little black box" that was capturing all the traffic to one particular customer: "Everything they were sending and receiving," he said. (...)

notícia completa na ZDnet

KINS - novo cavalo de Tróia ameaça bancos

July 24, 2013 — CSO — With the major developers of banking malware laying low, a new crook on the block has emerged gunning to be top dog in the market.

The developer's new malware is called KINS, and he's selling it for $5,000 a pop, although that price is likely to climb if the malware is a good as he brags it is.

"[KINS is] a new professional-grade banking Trojan that is very likely taking its first steps in the cybercrime underground and could be poised to infect new victims as quickly and effectively as its Zeus, SpyEye and Citadel predecessors," Limor Kessem, a cybercrime specialist with RSA, the security division of EMC, wrote in a blog post on Tuesday.

The Trojan is entering the market at an opportune time, as developers of such major banking malware have either retired, gone into hiding or otherwise removed their skills from the open market.

"There aren't any major commercial Trojans in the underground for sale right now," Kessem said in an interview. "KINS will probably be the next Trojan that will take over."

In a message posted to a Russian language underground forum and translated by RSA, KINS' developer said the malware has been developed from scratch and not a modification of another product. Nevertheless, RSA found a number of similarities between it and previous Trojans.

For example, like Zeus and SpyEye, the malware has a main file and DLL-based plug-ins. One plug-in is already available for $2,000, according to the malware developer's forum posting, to counter Rapport, a popular fraud protection program currently used by banks.

(...)



Fontes: CSO, RSA blogs

Malware para acesso remoto a Android

da ArsTechnica:


Android malware that gives hackers remote control is on rise


Remote access tools have long been a major part of targeted hacker attacks on individuals and corporate networks. RATs have been used for everything from hacking the e-mail boxes of New York Times reporters to capturing video and audio of victims over their webcams. Recently, wireless broadband and the power of smartphones and tablets have extended hackers’ reach beyond the desktop. In a blog post yesterday, Symantec Senior Software Engineer Andrea Lelli described the rise of an underground market for malware tools based on Androrat, a remote administration tool that can give an attacker complete control over devices running the Android OS.


Androrat was published on GitHub in November 2012 as an open source tool for remote administration of Android devices. Packaged as a standard Android application (in an APK file), Androrat can be installed as a service on the device that launches at start-up or as a standard “activity” application. Once it’s installed, the user doesn’t need to interact with the application at all—it can be activated remotely by an SMS message or a call from a specific phone number.


The app can grab call logs, contact data, and all SMS messages on the device, as well as capture messages as they come in. It can provide live monitoring of call activity, take pictures with the phone’s camera, and stream audio from the phone’s microphone back to its server. It can also post “toasts” (application messages) on the screen, place phone calls, send text messages, and open websites in the phone’s browser. If it is launched as an application (or “activity”), it can even stream video from the camera back to the server.


Hackers have taken Androrat’s code and run with it. Recently, underground marketplaces for malware have begun to offer Androrat “binder” tools, which can attach the RAT to the APK files of other legitimate applications. When a user downloads what appears to be a harmless app that has been bound to Androrat, the RAT gets installed along with the app without requiring additional user input, sneaking past Android’s security model. Symantec reports that analysts have found 23 instances of legitimate apps that have been turned into carriers for Androrat. The code has also been incorporated into other “commercial” malware, such as Adwind—a Java-based RAT that can be used against multiple operating systems.


(...)


Chaves privadas roubadas à Opera

A notícia fala de certificados mas obviamente refere-se às chaves privadas usadas para assinar software:

"Hackers penetrated network servers belonging to Opera Software, stole at least one digital certificate, and then used it to distribute malware that incorrectly appeared to be published by the browser maker."

http://arstechnica.com/security/2013/06/attackers-sign-malware-using-crypto-certificate-stolen-from-opera-software/

Microsoft paga por vulnerabilidades

Microsoft on Wednesday announced it will launch a "bug bounty" program, designed to stamp out security vulnerabilities in its software before and after its products are launched.

The software giant has previously offered as much as $250,000 for security vulnerabilities disclosed as part of its BlueHat prize during contests, but the company had yet to offer a long-term, ongoing bug bounty program to encourage researchers to find flaws in its products.

(...)

But the twist in the tale is that these bug bounty programs will specifically include the company's pre-release software, such as Internet Explorer 11 preview, which will be included with Windows 8.1 ("Blue") on June 26, helping Microsoft stamp out bugs before its products are released into the wider population.

(...)

notícia completa na ZDnet

Obad.a, malware sofisticado para Android

The most sophisticated Android Trojan
Roman Unuchek
Kaspersky Lab Expert

Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

The file turned out to be a multi-functional Trojan, capable of the following: sending SMS to premium-rate numbers; downloading other malware programs, installing them on the infected device and/or sending them further via Bluetooth; and remotely performing commands in the console. Now, Kaspersky Lab’s products detect this malicious program as Backdoor.AndroidOS.Obad.a.

Malware writers typically try to make the codes in their creations as complicated as possible, to make life more difficult for anti-malware experts. However, it is rare to see concealment as advanced as Odad.a’s in mobile malware. Moreover, this complete code obfuscation was not the only odd thing about the new Trojan.


Programa PRISM

do Público:

"A Agência de Segurança Nacional (NSA) e o FBI têm tido acesso directo aos servidores de nove gigantes tecnológicos como a Microsoft, Google, Apple, YouTube ou Facebook. Acederam assim a informação e contactos dos utilizadores, segundo um documento secreto a que os jornais The Washington Post e The Guardian tiveram acesso.

O programa de recolha de dados, com o nome de código PRISM, começou em 2007, na Presidência Bush, e prosseguiu na Administração Obama.

As informações sobre o acesso aos servidores surge depois de divulgado o controlo pela Administração norte-americana de registos de milhares de chamadas da telefónica Verizon e revela novas práticas de vigilância dos Estados Unidos.

O programa secreto abrange nove importantes empresas tecnológicas – Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, You Tube e Apple. O documento citado pelos dois diários indica que as empresas cooperaram no programa, o que é por elas negado.

O Guardian diz ter verificado a atenticidade do documento em que o PRISM é descrito. Trata-se, escreve o jornal, de Power Point de 41 slides usado para treinar operacionais dos serviços de espionagem.

“Os membros do Congresso que conheciam o programa estavam obrigados por juramento a não revelar a sua existência”, escreve o Washington Post. O PRISM “permite à NSA copiar o conteúdo dos emails, dos arquivos enviados e das conversas nos chats”, refere o Guardian. O Post diz que também áudios, vídeos e fotografias são elementos susceptíveis de serem investigados."

NSA Prism program taps in to user data of Apple, Google and others (Guardian)

NSA slides explain the PRISM data-collection program (Washington Post)