Tendências para vulnerabilidades em 2014

4 Trends In Vulnerabilities That Will Continue In 2014

Dar Reading, Robert Lemos

1. More pay for researchers

Most vulnerability researchers can now get paid for the effort they put into finding vulnerabilities. Third-party bounty programs are seeing renewed interest.


2. Exploiting the guards

Researchers have found vulnerabilities in most major security software, and that will continue in 2014, according to ZDI's Gorenc. While most upcoming vulnerabilities focus on Microsoft, Adobe, Oracle and other major enterprise software vendors, a few reports include the software the companies rely on to secure their systems. In ZDI's upcoming vulnerabilities list, for example, antivirus firm Sophos and security information and event management (SIEM) firm SolarWinds are both included.

"Toward the end of 2013, we saw researchers looking for a lot more vulnerabilities in security products themselves," says Gorenc.

The trend pairs with a similar focus of attackers, who have, over the past four years, focused on attacking companies who supply security products to enterprises. RSA, Bit9, and Symantec are among the companies that have had their systems breached.

3. Embedded devices mean flaws live longer

From vulnerabilities in Android to problems with universal plug-and-play to security issues in industrial control and medical systems, vulnerabilities in embedded devices are an increasingly focus for researchers. Such security issues are a problem for users because most devices are not easily patched and often manufacturers take months to years to update their device software.

A big part of that is the resurgence of Linux as a target for research, says Rapid7's Moore. In the past, a vulnerability in Linux meant that companies had to patch their Web and database servers, but increasingly those vulnerabilities are found in embedded devices.

"Any time you have a Linux kernel vulnerability, the scary thing is that those don't go away," Moore says. "They get baked into every Android phone and embedded box that is out there."

4. Libraries under attack

Along with embedded systems, attackers will continue their focus on the popular libraries and frameworks used by developers. Graphics library, such as LibTIFF, are popular targets of vulnerability research. Rapid7 found that issues in the universal plug and play library, LibPNP, continued to be widespread.

"Library bugs tend to stick around for awhile because they apply to more and more software going forward" as developers build the libraries into more products, Moore says.

Because developers do not usually issue an update to fix vulnerabilities libraries, software reliant on vulnerable library versions continues to exist. "There is a multi-year tail on those issues," he says.

Segurança de MicroSD Cards

Um post muito interessante sobre o assunto:

On Hacking MicroSD Cards 

A conclusão mais interessante é que esses cartões têm um micro-controlador (uma variante de um Intel 8051 ou um ARM) a cerca de 100 MHz e o seu próprio firmware. Ou seja, longe se serem apenas um dispositivo de armazenamento de dados, são um pequeno computador, no qual pode ser introduzido malware etc. etc. etc.

5 ataques importantes de 2013

Lessons From Five Advanced Attacks Of 2013

1. Cryptolocker and the evolution of ransom ware
While many attackers create botnets to steal data or use victim's machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files.

2. New York Times "hack" and supplier insecurity
The August attack on the New York Times and other media outlets by the Syrian Electronic Army highlighted the vulnerability posed by service providers and technology suppliers.
Rather than directly breach the New York Times' systems, the attackers instead fooled the company's domain registrar to transfer the ownership of the nytimes.com and other media firms' domains to the SEA.

3. Bit9 and attacks on security providers
In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered "trusted" by Bit9's systems.

4. DDoS attacks get bigger, more subtle
A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected--in some cases tenuously--to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year.

5. South Korea and destructive attacks
Companies in both the Middle East and South Korea suffered destructive attacks designed to wipe data from computers. In 2012, Saudi Aramco and other companies in the Middle East were targeted with a malicious attack that erased data from machines, causing them to become unrecoverable.
This year, South Korean firms were attacked in a similar manner in a multi-vector attack whose finale was the deletion of master boot records on infected computers. While such attacks have happened in the past, they seem to be more frequent, says Dell Secureworks' Williams.
"The impact of these attacks have been pretty impressive--30,000 machines needed to be rebuilt in the Saudi Aramco case," he says.

Para além dos SIEMs

While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, they're finding that they shouldn't make the mistake of confusing the use of SIEM for the existence of security analytics practices.

"I think SIEM is a starting point for security analytics, but only a starting point," says Ed Bellis, CEO of Risk I/O.


Part of the difficulty with SIEM has been issues of increased security "noise" and complexity of systems feeding into the SIEM.


"SIEMs weren't originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment," he says. "Security analytics is more than just big data, it's also diverse data. This causes serious technical architectural limitations that aren't easy to overcome with just SIEM."

For example, SIEM can't account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kind of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.

"Security analytics needs to include big picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events," says Mike Lloyd, CTO of RedSeal Networks.

Top 8 security threats of 2013

The top 8 security threats of 2013

a lista:
  1. More Sophisticated DDoS
  2. Attack of the Botnets
  3. Ignored Insider Threats
  4. Insecure Applications
  5. Data Supply Chain Threats
  6. Unauthorized Access by Former Employees
  7. Embedded Systems Vulnerabilities
  8. The Growth of Bitcoin

Boas práticas para desenvolvimento de aplicações para cloud

Acaba de sair um documento sobre o assunto publicado pela Cloud Security Alliance e pelo consórcio SAFEcode: https://cloudsecurityalliance.org/download/safecode-csa-whitepaper/

ENISA Threat Landscape report 2013

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. Questions addressed are: What are the top cyber-threats of 2013? Who are the adversaries? What are the important cyber-threat trends in the digital ecosystem?

Negative trends 2013:
  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: big data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:
  • Some impressive law-enforcement successes ; police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

A table of the top current threats and threat trends lists the following top three threats: 1. Drive-by-downloads, 2. Worms/Trojans and 3. Code injections. For full table.

Hackers atacam o Ministério dos Negócios Estrangeiros

Hackers chineses atacaram Ministério dos Negócios Estrangeiros de Portugal

Um grupo de hackers a operar a partir da China conseguiu entrar no sistema informático dos ministérios dos Negócios Estrangeiros de cinco países diferentes, entre os quais Portugal, de acordo com o relatório de uma empresa americana de segurança informática, que foi noticiado pelo jornal The New York Times.

Além de Portugal, de acordo com o New York Times, os países visados foram a República Checa, Bulgária, Letónia e Hungria. Os ataques, diz o relatório da empresa californiana FireEye, terão começado em 2010 e sido feitos de forma reiterada. Os países não são mencionados no documento mas, pelos endereços de e-mail no site dos hackers, o jornal diz ser possível avançar estes cinco alvos e uma fonte da investigação confirmou-os ao New York Times.

Ao PÚBLICO, o Ministério dos Negócios Estrangeiros afirmou apenas, numa resposta por e-mail, que "sempre adoptou e continua a adoptar todas as medidas de segurança informática para a protecção da sua rede de comunicações, em articulação com as competentes autoridades nacionais nesta matéria".

Os atacantes usaram uma técnica comum para instalar software malicioso nos computadores e que implica uma falha humana: enviaram e-mails com links. Bastava alguém clicar no link para o software se instalar no computador e respectiva rede informática, abrindo portas para que os atacantes pudessem aceder remotamente a ficheiros.

De início, os atacantes enviavam um e-mail a apontar para o que diziam ser fotografias de Carla Bruni, a mulher do antigo Presidente francês Nicolas Sarkozy, nua. Mais tarde, enviaram e-mails que diziam conter informação sobre a actividade militar na Síria.


A investigação levada a cabo pela FireEye (que recebeu o nome de “Ke3Chang”, expressão encontrada no código-fonte do software malicioso) concluiu que o grupo de hackers tem servidores na China, Hong Kong e EUA. O facto de as pistas apontarem para a China como o território de origem dos ataques e de os alvos serem computadores governamentais levou a empresa a indicar que a operação estará ligada ao Governo chinês. Pequim é frequentemente acusado de ciberespionagem, acusação que já negou várias vezes.


Notícia completa no site do Público

Notícia no New York Times: China Is Tied to Spying on European Diplomats

Relatório da FireEye: Operation "Ke3chang" (pdf)

Projecto PCAS

Financiado em cerca de 70% pela Comissão Europeia, o projecto Personalized Centralized Authentication System (PCAS) está orçado em 4,5 milhões de euros e reúne um consórcio de institutos de investigação e de empresas, no qual se incluem duas representações portuguesas, a Maxdata Software e o INESC ID.

O objectivo deste projecto de investigação é desenvolver um dispositivo portátil, seguro e inovador num conceito a que foi dado o nome de Secured Personal Device (SPD). Na prática, trata-se de um dispositivo electrónico que permitirá a qualquer pessoa armazenar com segurança os seus dados e partilhá-los com aplicações confiáveis. O SPD funcionará como um add-on para smartphones que extrai a energia do dispositivo e usa os seus serviços de comunicação, por exemplo, dados móveis, Wi-Fi e Bluetooth.

O SPD terá a capacidade de reconhecer o seu proprietário através de múltiplos sensores biométricos, designadamente através de impressões digitais, do reconhecimento facial, da íris e de voz, incluindo também um sensor de stress que permite detectar qualquer tipo de coerção. Ao utilizar o mesmo sistema de autenticação biométrica, o SPD poderá comunicar de forma segura com servidores na cloud, tornando desnecessária a memorização e o uso de palavras-passe.


notícia completa no site da Semana Informática

Red October

At CloudFlare, we are always looking for better ways to secure the data we’re entrusted with. This means hardening our system against outside threats such as hackers, but it also means protecting against insider threats. According to a recent Verizon report, insider threats account for around 14% of data breaches in 2013. While we perform background checks and carefully screen team members, we also implement technical barriers to protect the data with which we are entrusted.

One good information security practice is known as the “two-man rule.” It comes from military history, where a nuclear missile couldn’t be launched unless two people agreed and turned their launch keys simultaneously. This requirement was introduced in order to prevent one individual from accidentally (or intentionally) starting World War III.

To prevent the risk of rogue employees misusing sensitive data we built a service in Go to enforce the two-person rule. We call the service Red October after the famous scene from “The Hunt for Red October.” In line with our philosophy on security software, we are open sourcing the technology so you can use it in your own organization (here’s a link to the public Github repo). If you are interested in the nitty-gritty details, read on.

Red October is a cryptographically-secure implementation of the two-person rule to protect sensitive data. From a technical perspective, Red October is a software-based encryption and decryption server. The server can be used to encrypt a payload in such a way that no one individual can decrypt it. The encryption of the payload is cryptographically tied to the credentials of the authorized users.

Authorized persons can delegate their credentials to the server for a period of time. The server can decrypt any previously-encrypted payloads as long as the appropriate number of people have delegated their credentials to the server.

Top Ten Web Hacking Techniques of 2012

Um bocado tarde mas aqui fica:

Top Ten Web Hacking Techniques of 2012

Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year: 2006 (65), 2007(83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)

The Top Ten
  1. CRIME (1, 2, 3 4) by Juliano Rizzo and Thai Duong
  2. Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3, 4, 5)
  3. Chrome addon hacking (2, 3, 4, 5)
  4. Bruteforce of PHPSESSID
  5. Blended Threats and JavaScript
  6. Cross-Site Port Attacks
  7. Permanent backdooring of HTML5 client-side application
  8. CAPTCHA Re-Riding Attack
  9. XSS: Gaining access to HttpOnly Cookie in 2012
  10. Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
Depois ainda há menções honrosas etc. Ver post original.


Não se percebe bem para quem é que é "safe"...

Polícia inglesa mostra como parar um carro com radiofrequências

O método ainda está em fase de testes, mas as polícias britânicas já mostraram o seu interesse, principalmente para poderem parar motas com sucesso. Até agora, as únicas formas de conseguir travar a marcha de veículos passam por furar os pneus, nomeadamente com correias de espigões. Esta técnica envolve sempre algum risco de ferimentos quer no condutor e passageiros, quer em transeuntes.

Na demonstração da RF Safe-Stop, em Worcestershire, a E2V conseguiu parar vários carros só com recurso a um pequeno emissor de RF. Os veículos circulavam a cerca de 25 km/h. Assim que o veículo se aproximava do “radar”, o painel de luzes de aviso começava a piscar erraticamente e o carro acabava por se desligar.

Segundo a revista Engineer, citada pela BBC, o dispositivo funciona nas bandas S- e L- e tem um alcance de 50 metros.

Os críticos deste método explicam que o ataque com radiofrequência pode não funcionar em pleno, porque nos carros modernos pode influenciar também o sistema eletrónico dos travões. Há ainda que considerar que os carros antigos não usam praticamente sistemas eletrónicos, pelo que não podem ser travados com este método. Por fim, os cépticos duvidam que o método consiga parar em tempo útil um veículo que esteja a circular a uma velocidade “normal”.

Fonte: Exame Informática online

Artigo na revista The Enginneer

Sítios perigosos para usar o cartão de débito

o mais surpreendente é a bomba de gasolina:

Documentos Snowden

"As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.

None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers."

Nova tarefa para botnets...

Nova tarefa para botnets: minerar bitcoins!

Atrax: Cybercrime Kit Capable of Stealing Data, Launching DDOS, Mining for Bitcoins

Security researchers have come across a new cybercriminal kit that’s currently being advertised on underground forums. The kit is called Atrax and its main platform costs only $250 (€184).