Phishing e mulas

O assunto está longe de ser novo, mas o Público traz uma boa explicação: http://www.publico.pt/tecnologia/noticia/anuncios-de-emprego-recrutam-cumplices-para-redes-de-phishing-1589626


Ataques a instituições financeiras


Ciber-terrorismo? Ciber-guerra?

"On March 28, American Express' website went offline for at least two hours during a distributed denial of service attack. A group calling itself "the cyber-fighters of Izz ad-Din al-Qassam" claimed responsibility for the attack, which began at about 3:00pm Eastern Time.

In a statement, an American Express spokesperson said, "Our site experienced a distributed-denial-of-service (DDoS) attack for about two hours on Thursday afternoon...We experienced intermittent slowing on our website that would have disrupted customers' ability to access their account information. We had a plan in place to defend against a potential attack and have taken steps to minimize ongoing customer impact."

The American Express DDoS is part of a new wave of attacks started two weeks ago by the Izz ad-Din al-Qassam group, which launched a larger campaign targeting US financial institutions that began last September. The group's alleged goal is to force the take-down of an offensive YouTube video—or extract an ongoing price from American banks as long as the video stays up, which could be indefinitely.

These attacks are also part of a larger trend of disruptive and destructive attacks on financial institutions by apparently politically-motivated groups, the most damaging of which was the attack on South Korean banks and other companies last week. It's a trend that has surprised some security analysts, considering that the financial industry has focused more on advanced persistent threat (APT) attacks and cyber-espionage in recent years."

Notícia completa na ArsTechnica

Maior ataque DDoS de sempre?

CloudFlare has claimed to have mitigated the biggest distributed denial-of-service (DDoS) attack in the history of the internet.

Spamhaus, a not-for-profit anti-spam organisation, came to CloudFlare last week for assistance against a large DDoS attack it was experiencing. Switching over to CloudFlare's network on March 19, the attack began with a 10Gbps flood of traffic, ramping up in excess of 100Gbps later that night. It initially took Spamhaus' website down, with the outage independently observed by the Internet Storm Center at the time.

According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.

(...)

Notícia completa no site da ZDnet

Vulnerabilidade no SSL/TLS

Aliás no algoritmo RC4, que é usado no SSL/TLS. A solução é não usar o RC4:


HTTPS Security Encryption Flaws Found
InformationWeek

The flaw exists in the RC4 encryption algorithm that's often used to help secure the SSL/TLS communications that underpin secure (HTTPS) Web pages. The flaw was first disclosed last week by University of Illinois at Chicago professor Dan Bernstein at the Fast Software Encryption conference in Singapore, in a talk titled "Failures of secret-key cryptography" that's based on research he conducted with researchers from University of London's Royal Holloway and the Eindhoven University of Technology in the Netherlands.

"The transport layer security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet," according to the group's research presentation. "It is widely used to secure Web traffic and e-commerce transactions on the Internet."

But RC4, the researchers found, isn't sufficiently random, and with enough time and effort, an attacker could recover some plaintext from a communication secured using TLS and RC4. "We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used," they said. "The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm, which become apparent in TLS ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions."

The vulnerability has wide-ranging repercussions, given current RC4 use. "Around 50% of all TLS traffic is currently protected using the RC4 algorithm," they said. "It has become increasingly popular because of recent attacks on CBC-mode encryption on TLS, and is now recommended by many commentators." Those CBC-mode encryption attacks have included padding oracle attacks, the BEAST attack against browsers and the Lucky 13 attack that was first disclosed last month.

(...)

Tallinn Manual sobre ciber-guerra


The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre [i.e., NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia] by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law).  Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics.

The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity.  It does not represent the views of the Centre, our Sponsoring Nations, or NATO.  It is also not meant to reflect NATO doctrine.  Nor does it reflect the position of any organization or State represented by observers.

acesso ao relatório

Swatting


Security reporter tells Ars about hacked 911 call that sent SWAT team to his house

ArsTechnica

(...)

"Brian Krebs has always been a trailblazer among security reporters. His exposés completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network. More recently, his investigative journalism has followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.

Now, Krebs has achieved a decidedly more grim distinction. On Thursday, he became one of the first journalists to be on the receiving end of a vicious hoax that prompted a raid on his Northern Virginia home by a swarm of heavily armed police officers. The tactic, known as "swatting," has long been a favorite of depraved hackers. They use computers or special phone equipment to make emergency calls that appear to come from their target's phone number. When a 911 operator answers, they report a life-threatening, sometimes horrific crime in progress. Police, often armed with assault rifles, descend on the target's home, sometimes breaking down doors in the mistaken belief that their lives are on the line by gun-toting criminals carrying out home invasion robberies or drugged-out maniacs committing multiple homicides.

It was around 5pm. Krebs, 40, had just finished preparing his home for a small dinner party he had planned for later that evening. While vacuuming his home, his phone rang a few times, but he decided not to answer since he didn't want to get held up. When he finished, he realized there was still some tape at the entrance of his house where Christmas lights had been. He thought it made sense to remove it before his guests arrived.

"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'""

(...)

Notícia completa
Mais detalhes sobre a história no blog Krebs on Security

Ciber-ataques e ciber-espionagem nº 1 nos EUA

Interessante como puderam ultrapassar a preocupação com o terrorismo ou até a guerra convencional:


Autoridades dizem que cibersegurança é a principal ameaça aos EUA
Público

"Os directores do FBI, da CIA e do serviço nacional de informações americano foram ouvidos no Senado sobre as potenciais ameaças à segurança dos EUA e consideraram que a ciberespionagem e os ciberataques ultrapassaram o terrorismo no topo das preocupações.

“Em alguns casos, o mundo está a usar tecnologias digitais mais depressa do que a nossa capacidade para compreender as implicações de segurança e mitigar os potenciais riscos”, disse, citado pela agência Reuters, James Clapper, director nacional de informações, um cargo criado em 2004 e que designa um dos principais conselheiros do Presidente dos EUA em matéria de segurança interna.

Clapper, porém, desvalorizou a probabilidade de ciberataques de grande dimensão a curto prazo, afirmando haver apenas uma “hipótese remota” de um ataque desta natureza nos próximos dois anos capaz de ter efeitos graves, como seria, exemplificou, a disrupção em larga escala de serviços como o fornecimento de electricidade. Também notou não serem prováveis ataques tradicionais com consequências sérias nos EUA.

Os líderes das autoridades de espionagem e informação são ouvidos anualmente no Senado. Segundo o New York Times, esta é uma das raras ocasiões desde 2001 em que o terrorismo não foi apontado como a principal ameaça. Em 2009, o antecessor de Clapper tinha-se referido à crise financeira global como o principal risco para a segurança dos EUA.

Nesta segunda-feira, a Casa Branca, através do conselheiro nacional de segurança, Tom Donilon, exigiu que a China parasse de fazer intrusões nos sistemas informáticos americanos para roubar informação e que adoptasse “normas aceitáveis de comportamento no ciberespaço”. Donilon referia-se tanto a acções que visavam computadores governamentais, como a acções de espionagem industrial a empresas dos EUA."