Crimepacks vs vulnerabilidades

Uma apresentação muito interessante sobre as vulnerabilidades exploradas pelos principais crimepacks, comparando esses resultados com os de 2011:
  • How do we use intel to mitigate a threat?
  • What are optimal defenses for mass malware?
  • How do crimepacks acquire exploits?
  • Is security research being applied by crimepack authors?


Vídeos de vírus em acção

da Wired:

Back in 2004, a computer worm called Sasser swept across the web, infecting an estimated quarter million PCs. One of them belonged to Daniel White, then 16 years old. In the course of figuring out how to purge the worm from his system, the teenager came across the website of anti-virus company F-Secure, which hosted a vast field guide of malware dating back to the 1980s, complete with explanations, technical write-ups, and even screenshots for scores of antiquated viruses. He found it intoxicating. “I just read all I could,” he says, “and when I’d read all of that I found more sources to read.” He’d caught the computer virus bug.

Nine years and a handful of data loss scares later, White has amassed perhaps the most comprehensive archive of malware-in-action found anywhere on the web. His YouTube channel, which he started in 2008, includes more than 450 videos, each dedicated to documenting the effect of some old, outdated virus. The contents span decades, stretching from the dawn of personal computing to the heyday of Windows in the late ’90s. It’s a fascinating cross-section of the virus world, from benign programs that trigger goofy, harmless pop-ups to malicious, hell-raising bits of code. Happening across one of White’s clips for a virus you’ve done battle with back in the day can be a surprisingly nostalgic experience.

artigo completo na Wired

o canal do YouTube com filmes de vírus em acção

Apple iMessage

Investigadores afirmam que a Apple pode interceptar a comunicação do serviço iMessage, apesar de terem afirmado o contrário. A razão é a falta de certificate pinning.

What we are not saying: Apple reads your iMessages.

What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order.

As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages.

Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.

Now, you can read the article or jump to end of the article where we summarized it.


slides da apresentação

Backdoor em routers D-Link

Giro pois apresentam os detalhes de como encontraram a backdoor:

Reverse Engineering a D-Link Backdoor

(com agradecimentos ao Duarte Barbosa)

CryptoLocker ramsomware

O preço subiu. Costumava cobrar 100 dólares para decifrar os ficheiros, agora cobra 300...

notícia completa em Hacker News

device fingerprinting

Top sites (and maybe the NSA) track users with “device fingerprinting”

Close to 1.5 percent of the Internet's top websites track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option, according to an academic research paper that raises new questions and concerns about online privacy.

The research, by a team of scientists in Europe, is among the first to expose the real-world practice of "device fingerprinting," a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor's computer or smartphone to create a profile that is often unique to that machine. The researchers scanned select pages of the top 10,000 websites as ranked by Alexa and found that 145 of them deployed code based on Adobe's Flash Player that fingerprinted users surreptitiously. When they expanded their survey to the top one million sites, they found 404 that used JavaScript-based fingerprinting. The researchers said the figures should be taken as the lower bounds since their crawlers weren't able to access pages behind CAPTHCAs and other types of Web forms. Mainstream awareness of fingerprinting first surfaced three years ago following the release of research from the Electronic Frontier Foundation.

Device fingerprinting serves many legitimate purposes, including mitigating the impact of denial-of-service attacks, preventing fraud, protecting against account hijacking, and curbing content scraping, bots, and other automated nuisances. But fingerprinting also has a darker side. For one, few websites that include fingerprinting code in their pages disclose the practice in their terms of service. For another, marketing companies advertise their ability to use fingerprinting to identify user behavior across websites and devices. That suggests device fingerprinting may be used much the way tracking cookies are used to follow people as they browse from site to site, even though fingerprinting isn't covered by most laws governing cookies and websites' Do Not Track policies. And unlike user profiling that relies on "stateful" browser cookies that are usually easy to delete from hard drives, most end users have no idea that their computers are being fingerprinted, and they have few recourses to prevent the practice.

"Device fingerprinting raises serious privacy concerns for everyday users," the researchers wrote in a recently published paper. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt-out. Moreover, fingerprinting works just as well in the 'private-mode' of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations."

More troubling, device fingerprinting may have given the National Security Agency and its counterparts around the world an avenue to identify people using the Tor privacy service. As disclosed in an installment of previously secret NSA documents published last week by The Guardian, the spy agency is capable of injecting script redirections into the traffic of Tor users. Slide 16 of an NSA presentation titled Tor Stinks included the excerpt: "Goal: ... Ignore user-agents from Torbutton or Improve browser fingerprinting? Using javascript instead of Flash?"

The Firefox browser that ships with the Tor Browser Bundle has long attempted to prevent fingerprinting by limiting the customizable properties that are available to users. It also placed a cap on the number of fonts a webpage can request or load. The fingerprinting researchers found a way to bypass the font cap by making use of the Web programming property known as CSS font face. The researchers reported their findings to Tor developers, who have since patched the weaknesses.

Google paga descoberta de vulnerabilidades

... em software open source

The new experimental program offers rewards from $500 to $3,133.70 for coming up with security improvements to key open-source software projects. It is geared to complement Google's bug bounty program for Google Web applications and Chrome.

Google's program initially will encompass network services OpenSSH, BIND, ISC DHCP; image parsers libjpeg, libjpeg-turbo, libpng, giflib; Chromium and Blink in Chrome; libraries for OpenSSh and zlib; and Linux kernel components, including KVM. Google plans to next include Web servers Apache httpd, lighttpd, ngix; SMTP services Sendmail, Postfix, Exim; and GCC, binutils, and llvm; and OpenVPN.

Dark Reading

Espionagem com cookies?

How the NSA might use Hotmail, Yahoo or other cookies to identify Tor users

One of the more intriguing revelations in the most recent leak of NSA documents is the prospect that the spy agency is using browser cookies from Yahoo, Hotmail or the Google-owned DoubleClick ad network to decloak users of the Tor anonymity service.

One slide from a June 2012 presentation titled "Tor Stinks" carried the heading "Analytics: Cookie Leakage" followed by the words "DoubleclickID seen on Tor and nonTor IPs." The somewhat cryptic slide led to rampant speculation on Twitter and elsewhere that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), are able to bypass Tor protections by somehow manipulating the cookies Google uses to track people who have viewed DoubleClick ads. Principal volunteers with the Tor Project believe such a scenario is "plausible," but only in limited cases. Before explaining why, it helps to discuss how such an attack might work.

As documented elsewhere in the "Tor Stinks" presentation, the spy agencies sometimes use secret servers that are located on the Internet backbone to redirect some targets to another set of secret servers that impersonate the websites the targets intended to visit. Given their privileged location, the secret backbone nodes, dubbed "Quantum," are able to respond to the requests faster than the intended server, allowing them to win a "race condition." Government spies can't track cookies within the Tor network, because traffic is encrypted during its circuitous route through three different relays. But if the spies can watch the Internet backbone, they may be able to grab or manipulate cookies once the data exits Tor and heads toward its final destination.

A slide later in the deck refers to something called "QUANTUMCOOKIE," which purportedly "forces clients to divulge stored cookies." There are multiple ways to interpret such a vague bullet point. One of the more plausible is that the Quantum backbone servers can be used to serve cookies not just from DoubleClick or Google, but from Yahoo, Hotmail, or any other widely used Internet service.