As maiores data breaches

The World's Biggest Data Breaches, In One Incredible Infographic - Business Insider


Email seguro - Dark Mail

O Phill Zimmermann, a Lavabit e outros acabam de publicar uma especificação e implementação de um protocolo para mail cifrado end-to-end:

Our Mission
To bring the world our unique end-to-end encrypted protocol and architecture that is the 'next-generation' of private and secure email. As founding partners of The Dark Mail Technical Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the world's first end-to-end encrypted 'Email 3.0' throughout the world's email providers. Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind.

website

Mais dados sobre que criptografia foi quebrada pela NSA

Um artigo do Spiegel intitulado "Prying Eyes: Inside the NSA's War on Internet Security" contém novidades sobre que mecanismos foram e não foram quebrados pela NSA. A informação sobre os que não foram quebrados é especialmente interessante. Como diz o artigo, "To a certain extent, the Snowden documents should provide some level of relief to people who thought nothing could stop the NSA in its unquenchable thirst to collect data. It appears secure channels still exist for communication." O artigo contém uma série de links interessantes para diversos documentos.

(…) the NSA cryptologists divided their targets into five levels corresponding to the degree of the difficulty of the attack and the outcome, ranging from "trivial" to "catastrophic."

Monitoring a document's path through the Internet is classified as "trivial." Recording Facebook chats is considered a "minor" task, while the level of difficulty involved in decrypting emails sent through Moscow-based Internet service provider "mail.ru" is considered "moderate." Still, all three of those classifications don't appear to pose any significant problems for the NSA.

Mecanismos aparentemente seguros:

Things first become troublesome at the fourth level. The presentation states that the NSA encounters "major" problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network*, which was developed for surfing the web anonymously. Tor, otherwise known as The Onion Router, is free and open source software that allows users to surf the web through a network of more than 6,000 linked volunteer computers. The software automatically encrypts data in a way that ensures that no single computer in the network has all of a user's information. For surveillance experts, it becomes very difficult to trace the whereabouts of a person who visits a particular website or to attack a specific person while they are using Tor to surf the Web.


The NSA also has "major" problems with Truecrypt, a program for encrypting files on computers. Truecrypt's developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.

Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.
ZRTP, which is used to securely encrypt conversations and text chats on mobile phones, is used in free and open source programs like RedPhone and Signal. "It's satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque," says RedPhone developer Moxie Marlinspike.

Mecanismos aparentemente inseguros:

VPN connections can be based on a number of different protocols. The most widely used ones are called Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (Ipsec). Both seem to pose few problems for the NSA spies if they really want to crack a connection. Experts have considered PPTP insecure for some time now, but it is still in use in many commercial systems. (…) Ipsec as a protocol seems to create slightly more trouble for the spies. But the NSA has the resources to actively attack routers involved in the communication process to get to the keys to unlock the encryption rather than trying to break it, courtesy of the unit called Tailored Access Operations: "TAO got on the router through which banking traffic of interest flows," it says in one presentation.

Even more vulnerable than VPN systems are the supposedly secure connections ordinary Internet users must rely on all the time for Web applications like financial services, e-commerce or accessing webmail accounts. A lay user can recognize these allegedly secure connections by looking at the address bar in his or her Web browser: With these connections, the first letters of the address there are not just http -- for Hypertext Transfer Protocol -- but https. The "s" stands for "secure". The problem is that there isn't really anything secure about them. (…) The NSA and its allies routinely intercept such connections -- by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. (…)

The NSA also has a program with which it claims it can sometimes decrypt the Secure Shell protocol (SSH). This is typically used by systems administrators to log into employees' computers remotely, largely for use in the infrastructure of businesses, core Internet routers and other similarly important systems. The NSA combines the data collected in this manner with other information to leverage access to important systems of interest.

Ciber-ataque causa danos graves a siderúrgica alemã

Este tipo de ataques ciber-físicos são há muito esperados mas continuam a ser pouco comuns, desde o famoso Stuxnet. Este caso é talvez ainda mais impressionante:

Cyberattack on German steel mill inflicts serious damage
RT.COM

Unknown hackers have inflicted ‘serious damage’ to a German steel mill this year by breaking into internal networks and accessing the main controls of the factory, the German Federal Office for Information Security (BSI) revealed in its annual report.

The report says that the intrusion into the mainframe system caused significant damage to a blast furnace as the attackers managed to manipulate the internal systems and industrial components, causing outages that disrupted the controlled manner of operation.

The BSI’s didn’t mention which plant was targeted nor gave any reference to the time of the attack. The Office did note the “very advanced” capabilities of the hackers.

To penetrate the security, the intruders used a “sophisticated spear phishing” method to gain access to the core networks of the plant. Using this method, which involves targeting specific individuals within an organization, the attackers first penetrated the office network of the factory. From there, they managed their way into the production networks.

(...)

notícia completa na RT.COM

Previsões para 2015

10 cybersecurity predictions for 2015
CSO online

1. Planning Goes Mainstream

2. Big Data and Security Meet at the SIEM

3. Threats Keep Evolving

4. Your Security Scope Expands

5. Passé Passwords

6. Keys Are the Key to the Cloud

7. Smartphones Get Dumb Again

8. Transnational Crime Becomes More Concerning Than Governments

9. Shhhhhh! — Securing Your Voice

10. Quit It! (Managed security)

WAP - Web Application Protection


A WAP é fruto do trabalho de doutoramento da minha aluna Ibéria Medeiros. É uma ferramenta que faz análise estática de código PHP de modo a detectar uma série de vulnerabilidades (lista mais abaixo). A detecção é feita usando uma combinação de "taint analysis" com data mining. A correcção é feita inserindo fixes no código. Um artigo que explica a abordagem e a ferramenta apareceu este ano na International Conference on World Wide Web. A ferramenta está disponível para download no sourceforge.

A ferramenta parece estar a fazer algum sucesso pois já tem mais de 1400 downloads!

Mais dados tirados da página da WAP:

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives. 
WAP detects and corrects the following vulnerabilities: 
  • SQL Injection (SQLI)
  • Cross-site scripting (XSS)
  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)
  • Directory Traversal or Path Traversal (DT/PT)
  • Source Code Disclosure (SCD)
  • OS Command Injection (OSCI)
  • PHP Code Injection
This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reaches some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected with the insertion of the fixes (small pieces of code) in the source code.
WAP is written in Java language and is constituted by three modules:

  • Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.
  • False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive. Then, the Logistic Regression algorithm receives them and classifies the instance as being a false positive or not (real vulnerability).
  • Code Corrector: Each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created.

DARPA Cyber Grand Challenge



Uma grande iniciativa que pode ter um grande impacto no estado da ciber-segurança! Um excerto da explicação:

The ultimate test of wits in computer security occurs through open competition on the global Capture the Flag (CTF) tournament circuit. In CTF contests, experts reverse engineer software, probe its weaknesses, search for deeply hidden flaws, and create securely patched replacements. How hard is this work? The recently discovered Heartbleed flaw in OpenSSL went undiscovered by automation for years before experts found it. The discovery of Heartbleed required the same type of reverse engineering excellence that CTFs are designed to hone.

What if a purpose built supercomputer could compete against the CTF circuit’s greatest experts? Such a computer could scour the billions of lines of code we depend on, find and fix the toughest flaws, upend the economics of computer security, and level the playing field between attackers and defenders.

Over the next two years, innovators worldwide are invited to answer the call of Cyber Grand Challenge. Over a series of competition events, the very first prototype CTF-playing systems will be constructed, competed, and selected.

In 2016, DARPA will hold the world’s first all-computer Capture the Flag tournament live on stage co-located with the DEF CON Conference in Las Vegas where automated systems may take the first steps towards a defensible, connected future.

http://www.cybergrandchallenge.com

Regin: mais uma ciber-arma?

Regin: Top-tier espionage tool enables stealthy surveillance
Symantec

An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.

An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.

It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.

As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.




Relatório PWC sobre estado da segurança

Managing cyber risks in an interconnected world
Key findings from The Global State of Information Security® Survey 2015

partes:

  1. Cyber risks: A severe and present danger
  2. Incidents and financial impacts continue to soar
  3. Employees are the most- cited culprits of incidents
  4. As incidents rise, security spending falls
  5. Declines in fundamental security practices
  6. Gains in select security initiatives
  7. Evolving from security to cyber risk management

Quão identificável é o seu browser?

O meu é :-)

Learn how identifiable you are on the Internet. Help us investigate the diversity of web browsers. By clicking on this button, only anonymous data will be collected and a cookie will be stored in your browser for four months. You can find more details in the Privacy Policy.

tentar em https://amiunique.org

Top problemas de segurança 2014

Um resumo de um ano em cheio. Inclui também uma discussão sobre 2015:

10 top security threats of 2014 (so far)
Zero Day
Summary: The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evils that people do.
A lista:

10. Normal people
9. Cloud disasters
8. Application security, aka blame the "other services"
7. Facebook scams
6. The Drupal boogeyman
5. Apple's rot
4. China
3. Shellshock
2. Mega Retail Breaches
1. 2014's threat theme: White-knuckle flaws in TLS/SSL protocols: Goto Fail, Heartbleed, POODLE, WinShock

A complexidade da segurança de software

A typical, midsized financial organization has a portfolio of over a thousand applications. The largest firms exceed ten thousand applications. Each of these applications, on average, has hundreds of thousands of lines of custom code, and the largest can have over ten million lines. In addition, each application also includes anywhere from dozens to hundreds of software libraries, frameworks, and components that typically total over ten times the size of the custom code. And this portfolio is growing rapidly -- over 20% of these applications have new and updated code each year.

By comparison, consider the US Federal Tax Code, which has also grown dramatically over the years. Currently, the tax code totals just 4.4 million lines of “code” – roughly equivalent to just a handful of applications. As a security researcher I’ve discovered thousands of vulnerabilities in code. But as a former CEO, I’ve also analyzed a ton of legal contracts for loopholes. What’s interesting is that whether I’m scrutinizing software code or reviewing legal language, the analysis is not as different as you might think. Both require a detailed understanding of specialized language and a solid understanding of the underlying business.

So after two decades of high speed coding, a typical large financial organization has a pile of code as large as 2,000 copies of the entire 73,954 pages in the US Federal Tax Code -- almost 10 billion lines of code.

The Staggering Complexity of Application Security
DarkReading

Wordpress security

Uma checklist sobre segurança de Wordpress:

WordPress Security Checklist: 30 Action-Items

Software de espionagem da Hacking Team

SECRET MANUALS SHOW THE SPYWARE SOLD TO DESPOTS AND COPS WORLDWIDE
BY CORA CURRIER AND MORGAN MARQUIS-BOIRE

The Intercept

When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”

The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.

(...)

Artigo completo


Epidemia... de roubo de dados médicos

Naked Security - Sophos

We're all sick of data breaches and privacy intrusions, with just about every new day bringing new stories of shops, banks and restaurants leaking epic amounts of customer information and celebrities having their intimate snapsspread around the internet.

Obscured by these headline-grabbing big-name leaks, a rash of smaller-scale breaches has been leaking a steady stream of data every bit as valuable as our card numbers and every bit as intimately private as our most graphic selfies. (...)

In just the last few weeks, some of those "smaller" breaches include:

Segurança Informática no Facebook


O blog está agora disponível via Facebook: https://www.facebook.com/seginfportugal . Todos os posts são directamente lá colocados.

Energia negra

Uma variante do malware BlackEnergy está a infectar inúmeros sistemas industriais / infraestruturas críticas:
ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).
ICS-CERT originally published information and technical indicators about this campaign in a TLP Amber alert (ICS-ALERT-14-281-01P) that was released to the US-CERT secure portala on October 8, 2014, and updated on October 17, 2014.

mais informação:
Alert (ICS-ALERT-14-281-01A)
Ongoing Sophisticated Malware Campaign Compromising ICS (Update A)

As faces dos hackers actuais

Muito interessante:

Infographic: The Many Faces of Today’s Hackers
DarkReading

As part of National Cyber Security Awareness Month, Narus, a cyber security data analytics company, developed an infographic to give organizations a better understanding of today’s hackers -- from the general types of hackers that enterprises often face to the types of attacks they’re most likely to deploy. No enterprise can guarantee 100% security across all parts of the business. There are too many gaps at the perimeter, and sadly hackers have all the time they need to work around defenses and exploit these gaps.

Sandworm

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th – CVE-2014-4114.

Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

Visible Targets
Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.

NATO

  • Ukrainian government organizations
  • Western European government organization
  • Energy Sector firms (specifically in Poland)
  • European telecommunications firms
  • United States academic organization

- See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.n43KudAG.dpuf

(...)

artigo completo

Poodle

"Poodle é uma vulnerabilidade de segurança inerente ao protocolo SSLv3 que é usado esconder (cifrar) ligações na web. O protocolo tem sido regularmente substituído pela família TLS que é suportada em praticamente todos os browsers."

Sítios da banca e administração pública vulneráveis a ataques com Poodle


Content security policies e cross-site scripting

Um artigo interessante sobre o uso de content security policies (candidato a standard do W3C) para proteger sites de cross-site scripting. Na realidade o mecanismo também permite proteger de mais um ou outro tipo de ataque, como de pode ver no documento do W3C.

artigo: Generating Content-Security-Policies, the easy way.


Tyupkin: malware para roubar dinheiro de caixas ATM

O curioso é ser necessário o acesso físico ao hardware da máquina. Tendo esse acesso, seria natural que o ataque consistisse em roubar o dinheiro directamente. No entanto, o objectivo é outro: permitir voltar mais tarde e roubar dinheiro, possivelmente várias vezes.

Tyupkin: Manipulating ATM Machines with Malware
Kaspersky

(...)

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk
After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AptraDebug" = "C:\Windows\system32\ulssm.exe"
The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

XXXXXX – Shows the main window.
XXXXXX – Self deletes with a batch file.
XXXXXX – Increases the malware activity period.
XXXXXX – Hides the main window.
After every command the operator must press "Enter" on the ATM's pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

(...)





BadUSB

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

Análise estática de código

Software Assurance: Time to Raise the Bar on Static Analysis
Dark Reading

The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.
I had an interesting conversation recently about the after-effects of Heartbleed and the challenges facing static analysis with Barton Miller, the chief scientist of the Software Assurance Marketplace (SWAMP), which is a project I’m sponsoring at the Department of Homeland Security to improve software quality, and raise the bar of static analysis capabilities.

I wanted to know if the problems associated with static analysis can be attributed to a lackluster analysis engine. Are the core engines in static analysis tools robust enough to keep pace with the complexity and size of modern software? Obviously, these tools appear to be lacking in depth and breadth, which results in oversimplifying, which may lead tools to make inaccurate assumptions about code; as a result they miss (simple) things and produce a generous amount of false-positives.

(...)

De volta ao Citius

No blog já apareceram diversas notícias sobre o Citius mas parece que desta é de vez: deixa de ser possível ignorar o estado lastimável de um sistema que é crítico para o funcionamento do país. O artigo mais interessante que vi sobre o assunto saiu no Observador. Um excerto:

"As bases do sistema informático onde são colocados os processos cíveis, de família e menores e algumas gravações e notificações dos processos-crime não nasceu por concurso público. Partiu da iniciativa de um grupo de oficiais de justiça curiosos, que por acaso sabiam programar. Na altura, nos finais dos anos 1990, o parto do sistema deu-se numa sala alugada pelo Ministério da Justiça em Coimbra. Foi ali que a equipa o batizou de “Citius/Habilis” e que o desenvolveu em Vbase 6, uma linguagem de programação entretanto caída em desuso."

Continuo sem perceber por que é que a Informática é a única profissão que pode ser exercida por "curiosos" :-(

Tribunais mudam mas não saem do mesmo Citius - Observador

Shellshock ao ataque

Uma análise interessante de diversos ataques em curso contra a vulnerabilidade na Bash, aka Shellshock.

"We have observed a significant amount of overtly malicious traffic leveraging BASH, including

Malware droppers

Reverse shells and backdoors

DDoS"

Shellshock in the Wild - FireEye blog

Actualização (2/10): além deste os melhores artigos que encontrei sobre o Shellshock estão no blog do M. Zalewski (Google):

Quick notes about the bash bug, its impact, and the fixes so far
Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78)



Roubo de dados médicos

Hackers roubam dados médicos para vender no mercado negro
Observador

Na sequência de um ataque a uma das maiores operadoras de hospitais norte-americana, o FBI alertou os profissionais de saúde para tomarem medidas de proteção contra os ciberataques, adiantou a agência noticiosa Reuters. No mês passado, a Community Health Systems Inc. foi atacada por hackers chineses, que entraram dentro da rede de computadores da operadora e roubaram a informação pessoal de 4,5 milhões de pacientes.

A indústria da saúde norte-americana está gradualmente a tornar-se num alvo preferencial dos criminosos, devido à pouca segurança dos sistemas informáticos hospitalares. Muitas empresas e hospitais utilizam ainda sistemas informáticos antigos, sem a proteção dos mais recentes recursos de segurança, o que permite aos hackers aceder aos dados com relativa facilidade.

Os dados roubados são os mais variados. Nomes, datas de nascimento, números de apólices de seguros, códigos de diagnósticos e informações de faturamento, quase tudo serve para depois ser vendido pelos hackers no mercado negro da saúde. Os criminosos usam depois a informação roubada para criar identidades falsas para comprarem equipamento médico ou medicamentos para venda. Outra das fraudes passa pela combinação do número de um paciente com um número falso de um fornecedor, que é depois utilizado para preencher um pedido junto de uma seguradora.

BashSmash / ShellShock: vulnerabilidade permite execução remota de código na bash

Uma vulnerabilidade séria e com mais de 20 anos:

Bash specially-crafted environment variables code injection attack
redhat security blog

(...)  It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc).

the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for example:
  • ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.
  • Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).
  • PHP scripts executed with mod_php are not affected even if they spawn subshells.
  • DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine.
  • Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.
  • Any other application which is hooked onto a shell or runs a shell script as using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.
(...)

OWASP Testing Guide v4

Acaba de ser publicada a 4ª edição do OWASP Testing Guide. Ainda não li mas parece impressionante.

Dyre/Dyreza - malware dirigido à Salesforce

Uma análise muito interessante desse malware, que tem por objectivo roubar credenciais de acesso à Salesforce.

artigo

Ebook malicioso para Kindle

Engraçado: um Ebook malicioso para Kindle rouba as credenciais Amazon do dono através de um ataque de cross site scripting.

Amazon.com Stored XSS via Book Metadata

Amazon's Kindle Library, also known as "Manage Your Content and Devices" and "Manage your Kindle", is, at the time of writing, vulnerable to Stored Cross-Site Scripting (XSS) attacks. (Update 2014-09-16: Apparently, Amazon fixed the issue earlier today.) Malicious code can be injected via e-book metadata; for example, an e-book's title.

Once an attacker manages to have an e-book (file, document, ...) with a title like

added to the victim's library, the code will be executed as soon as the victim opens the Kindle Library web page. As a result, Amazon account cookies can be accessed by and transferred to the attacker and the victim's Amazon account can be compromised.



(...)

artigo completo

Roubar mails com DNS cache poisoning



CERT warns that DNS Cache Poisoning attacks could be used also to hijack email to a rogue server and not only to divert the Internet traffic.

(...)

Aprender segurança experimentando

SEED Labs

The objective of the SEED project is to develop an instructional laboratory environment and laboratory exercises (called labs) for computer system security education. Our approach is motivated by the traditional mature courses, such as Operating Systems (OS), Compilers, and Networking. In OS courses, a widely adopted successful practice is using an instructional OS (e.g. Minix, Nachos, and XINU) as a framework and ask students to write significant portions of each major piece of a modern OS. The Compiler and Network courses adopted a similar approach. Inspired by the success of the instructional OS strategy, we adapt it to our computer security courses. Namely, we use an instructional operating system (Minix) as our basis, and develop lab exercises on this instructional system.

The goal of our labs is to help students focus on (1) grasping security principles, concepts, and technologies, (2) applying security principles to design and implement security mechanisms, (3) analyzing and testing systems for security properties. (4) applying security principles to solve real-world problems. To meet this goal, we have designed a number of labs. Since 2002, we have been experimenting with some of these labs in both undergraduate and graduate courses, including Introduction to Computer Security, Computer Security, and Internet Security.


the matasano crypto challenges

We've built a collection of 48 exercises that demonstrate attacks on real-world crypto.

This is a different way to learn about crypto than taking a class or reading a book. We give you problems to solve. They're derived from weaknesses in real-world systems and modern cryptographic constructions. We give you enough info to learn about the underlying crypto concepts yourself. When you're finished, you'll not only have learned a good deal about how cryptosystems are built, but you'll also understand how they're attacked.

Hackers usam anti-virus online para testar o seu malware

Um artigo muito interessante da Wired ("A Google Site Meant to Protect You Is Helping Hackers Attack You") que explica como várias equipas de hackers têm vindo a usar o serviço VirusTotal para testar se o malware que desenvolvem é detectar por vários anti-virus.

Before companies like Microsoft and Apple release new software, the code is reviewed and tested to ensure it works as planned and to find any bugs.
Hackers and cybercrooks do the same. The last thing you want if you’re a cyberthug is for your banking Trojan to crash a victim’s system and be exposed. More importantly, you don’t want your victim’s antivirus engine to detect the malicious tool.
So how do you maintain your stealth? You submit your code to Google’s VirusTotal site and let it do the testing for you.
(...)
VirusTotal is a free online service—launched in 2004 by Hispasec Sistemas in Spain and acquired by Google in 2012—that aggregates more than three dozen antivirus scanners made by Symantec, Kaspersky Lab, F-Secure and others. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if any of the scanners tag it malicious. But the site, meant to protect us from hackers, also inadvertently provides hackers the opportunity to tweak and test their code until it bypasses the site’s suite of antivirus tools.

Um aspecto interessante é que até equipas sofisticadas como a APT1 e NetTraveler foram descobertas a usar o serviço:
One of the most prolific groups he tracked belongs to the infamous Comment Crew team, also known by security researchers as APT1, which was responsible for hacking The New York Times. Believed to be a state-sponsored group tied to China’s military, Comment Crew also reportedly is responsible for stealing terabytes of data from Coca-Cola, RSA and more than 100 other companies and government agencies since 2006. More recently, the group has focused on critical infrastructure in the U.S., targeting companies like Telvent, which makes control system software used in parts of the U.S. electrical power grid, oil and gas pipelines and in water systems. The group Dixon tracked isn’t the main Comment Crew outfit but a subgroup of it.
He also spotted and tracked a group known by security researchers as NetTraveler. Believed to be in China, NetTraveler has been hacking government, diplomatic and military victims for a decade, in addition to targeting the office of the Dalai Lama and supporters of Uyghur and Tibetan causes.

Outro ponto é que a utilização de trial&error básico para tentar evitar a detecção:

The data provides a rare and fascinating look at the inner workings of the hacker teams and the learning curve they followed as they perfected their attacks. During the three months he observed the Comment Crew gang, for example, they altered every line of code in their malware’s installation routine and added and deleted different functions. But in making some of the changes to the code, the hackers screwed up and disabled their Trojan at one point. They also introduced bugs and sabotaged other parts of their attack. All the while, Dixon watched as they experimented to get it right.
Between August and October 2012, when Dixon watched them, he mapped the Crew’s operations as they modified various strings in their malicious files, renamed the files, moved components around, and removed the URLs for the command-and-control servers used to communicate with their attack code on infected machines. They also tested out a couple of packer tools—used to reduce the size of malware and encase it in a wrapper to make it harder for virus scanners to see and identify malicious code.
Some of their tactics worked, others did not. When they did work, the attackers often were able to reduce to just two or three the number of engines detecting their code. It generally took just minor tweaks to make their attack code invisible to scanners, underscoring how hard it can be for antivirus engines to keep pace with an attacker’s shapeshifting code.
There was no definitive pattern to the kinds of changes that reduced the detection rate. Although all of the samples Dixon tracked got detected by one or more antivirus engine, those with low detection rates were often found only by the more obscure engines that are not in popular use.

Artigo completo na Wired

Netflix publica duas ferramentas de segurança


do blog do Netflix:

Announcing Scumblr and Sketchy - Search, Screenshot, and Reclaim the Internet
Netflix is pleased to announce the open source release of two security-related web applications: Scumblr and Sketchy!

Many security teams need to stay on the lookout for Internet-based discussions, posts, and other bits that may be of impact to the organizations they are protecting. These teams then take a variety of actions based on the nature of the findings discovered. Netflix’s security team has these same requirements, and today we’re releasing some of the tools that help us in these efforts.

(...)

Scumblr is a Ruby on Rails web application that allows searching the Internet for sites and content of interest. Scumblr includes a set of built-in libraries that allow creating searches for common sites like Google, Facebook, and Twitter. For other sites, it is easy to create plugins to perform targeted searches and return results. Once you have Scumblr setup, you can run the searches manually or automatically on a recurring basis.

One of the features we wanted to see in Scumblr was the ability to collect screenshots and text content from potentially malicious sites - this allows security analysts to preview Scumblr results without the risk of visiting the site directly. We wanted this collection system to be isolated from Scumblr and also resilient to sites that may perform malicious actions. We also decided it would be nice to build an API that we could use in other applications outside of Scumblr. Although a variety of tools and frameworks exist for taking screenshots, we discovered a number of edge cases that made taking reliable screenshots difficult - capturing screenshots from AJAX-heavy sites, cut-off images with virtual X drivers, and SSL and compression issues in the PhantomJS driver for Selenium, to name a few. In order to solve these challenges, we decided to leverage the best possible tools and create an API framework that would allow for reliable, scalable, and easy to use screenshot and text scraping capabilities. Sketchy to the rescue!

(...)

Ataque de piratas informáticos chineses a grupo hospitalar americano rouba dados de 4.5 milhões de pacientes

Apesar de não terem sido roubados dados médicos, é mais uma evidência que as vulnerabilidades existem e que as unidades de saúde têm de proteger muito bem a sua informação.

O grupo hospitalar em questão é composto por 206 hospitais em 29 estados.

artigo completo

Problemas do PGP

Um post muito interessante do Matthew Green sobre os problemas do PGP. Alguns excertos:

What's the matter with PGP?

(...)

As transparent and user-friendly as the new email extensions are, they're fundamentally just re-implementations of OpenPGP -- and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it's a model of email encryption that's fundamentally broken.

It's time for PGP to die.

In the remainder of this post I'm going to explain why this is so, what it means for the future of email encryption, and some of the things we should do about it. Nothing I'm going to say here will surprise anyone who's familiar with the technology -- in fact, this will barely be a technical post. That's because, fundamentally, most of the problems with email encryption aren't hyper-technical problems. They're still baked into the cake.

(...)

(...)

So what should we be doing?

Quite a lot actually. The path to a proper encrypted email system isn't that far off. At minimum, any real solution needs:


  • A proper approach to key management. This could be anything from centralized key management as in Apple's iMessage -- which would still be better than nothing -- to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.
  • Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system. 
  • Cryptography that post-dates the Fresh Prince. Enough said.
  • Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.


(...)

artigo completo

network injection appliances

You Can Get Hacked Just By Watching This Cat Video on YouTube
By Morgan Marquis-Boire
The Intercept

Many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites. People also think that the NSA and its international partners are the only ones who have turned the internet into a militarized zone. But according to research I am releasing today at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, many of these commonly held beliefs are not necessarily true. The only thing you need to do to render your computer’s secrets—your private conversations, banking information, photographs—transparent to prying eyes is watch a cute cat video on YouTube, and catch the interest of a nation-state or law enforcement agency that has $1 million or so to spare.

To understand why, you have to realize that even in today’s increasingly security-conscious internet, much of the traffic is still unencrypted. You might be surprised to learn that even popular sites that advertise their use of encryption frequently still serve some unencrypted content or advertisements. While people now recognize that unencrypted traffic can be monitored, they may not recognize that it also serves as a direct path into compromising their computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’slogin.live.com web site in the same manner.

(...)

artigo completo

512k day

Um problema de confiabilidade, não de segurança:

512k day is the unofficial title of an event that started on August 12, 2014. Multiple Internet routers, manufactured by Cisco and other vendors, encountered a default software limit of 512K (512,000 - 524,288)[1][2] IPv4 BGP routing table entries, causing assorted outages at various data centers. Various IT professionals reported the issue on Internet forums, sometimes as just "512k", and under a Twitter hashtag of #512k.

fonte: wikipedia

Car hacking


How Hackable Is Your Car? Consult This Handy Chart
Wired


"(...) In a talk today at the Black Hat security conference in Las Vegas—and anaccompanying 92-page paper—Valasek and Miller will present the results of a broad analysis of dozens of different car makes and models, assessing the vehicles’ schematics for the signs that hint at vulnerabilities to auto-focused hackers. The result is a kind of handbook of ratings and reviews of automobiles for the potential hackability of their networked components. “For 24 different cars, we examined how a remote attack might work,” says Valasek, director of vehicle security research at the security consultancy IOActive. “It really depends on the architecture: If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?” (...)"

Insegurança USB

Why the Security of USB Is Fundamentally Broken -  Wired

"Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue."

artigo completo na Wired

vulnerabilidade no Tor permite identificar utilizadores

mais uma....

Tor tem uma vulnerabilidade que identifica os utilizadores
Exame Informática

O alerta foi dado por dois investigadores da Universidade de Carnegie Mellon: Alexander Volynkin e Michael McCord iam falar em público na conferência Black Hat e explicar como se consegue identificar quem está a navegar na rede Tor.

Agora, um anúncio no site da conferência indica que os dois oradores vão, inexplicavelmente, suspender a sua palestra. (...)

SSD cifrado

Intel lança um SSD cifrado:
http://thehackernews.com/2014/07/Intel-solid-state-drives-self-encryption.html
http://www.intel.com/content/www/us/en/solid-state-drives/solid-state-drives-pro-2500-series.html

Keyloggers em computadores públicos

Caso ainda houvesse dúvidas sobre os riscos de aceder a contas pessoais em computadores públicos...

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

Beware Keyloggers at Hotel Business Centers
Krebs on Security

Viper

Viper is a binary management and analysis framework dedicated to malware and exploit researchers

http://viper.li

Dragonfly

Dragonfly: Western Energy Companies Under Sabotage Threat

Symantec

An ongoing cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.

Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

The Dragonfly group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.

This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems. While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.

In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.

Prior to publication, Symantec notified affected victims and relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.

artigo completo

Knox: da Samsung para o Android

Um artigo interessante sobre a tecnologia Knox da Samsung (baseada na Trustzone da arquitectura ARM) ser adoptada pela Google no Android.

Android L Knox integration is essential in the fight against hackers

Google’s decision to integrate Samsung’s Knox security service into Android L is a step in the right direction, but not enough to fully protect the mobile operating system against hackers, who are hitting it with more malware than the firm is willing to admit, according to security experts.

(...)

Code Spaces e os riscos da cloud

O serviço Code Spaces foi liquidado por um atacante que obteve controle da consola de gestão da AWS:

On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers, this happens quite often and we normally overcome them in a way that is transparent to the Code Spaces community. On this occasion however the DDOS was just the start.

An unauthorised person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a hotmail address

Reaching out to the address started a chain of events that revolved arount the person trying to extort a large fee in order to resolve the DDOS.

Upon realisation that somebody had access to our control panel we started to investigate how access had been gained and what access that person had to the data in our systems, it became clear that so far no machine access had been achieved due to the intruder not having our Private Keys.

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances.

In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.

(...)

Relatório completo no (ex-)site da Code Spaces

Vocabulary for Event Recording and Incident Sharing (VERIS)

The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others. The overall goal is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better measure and manage risk.

VERIS Community
VERIS Community Database (VCDB)

Nokia chantageada

para não revelarem parte do código fonte do Symbian. Não é óbvio se o código foi roubado usando algo classificável como hacking, mas parece o mais óbvio.

Nokia 'paid millions to software blackmailers six years ago'

(Reuters) - Finnish telecoms equipment company Nokia paid several million euros to criminals who threatened to reveal the source code for part of an operating system used in its smartphones some six years ago, Finnish TV station MTV said on Tuesday.

The police confirmed to Reuters that they were investigating a case of alleged blackmail and that the case was still open. Nokia was not immediately available for comment.

"We are investigating felony blackmail, with Nokia the injured party," Detective Chief Inspector Tero Haapala said, but declined to give further details.

MTV said that the blackmailers had acquired the encryption key for a core part of Nokia's Symbian software and threatened to make it public.

notícia completa na Reuters

Synthetic ID Theft

Banca: Nova tendência alarmante no roubo de identidades
Inteligência Económica

"Nova tendência no roubo de identidades. Ao invés de roubarem a identidade de alguém fazendo-se passar por essa pessoa junto das instituições bancárias, os ladrões criam agora meticulosamente identidades falsas (com combinação de dados falsos e reais, ou apenas com informação falsa) para pedir cartões de crédito e empréstimos."

notícia completa

Seguros contra ciber-ataques

Cyberattack Insurance a Challenge for Business
NY Times

(...)

Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker.

Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses.

The main problem is quantifying losses from attacks, because they are often intangible — lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year.

(...)

Total cyberinsurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses.

The most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars’ worth of coverage available in property insurance.

(...)

Relatório da Vodafone sobre escutas legais e privacidade

Interessante:

Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws. Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.

However, in every country in which we operate, we have to abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services. Those laws are designed to protect national security and public safety or to prevent or investigate crime and terrorism, and the agencies and authorities that invoke those laws insist that the information demanded from communications operators such as Vodafone is essential to their work.

Refusal to comply with a country’s laws is not an option. If we do not comply with a lawful demand for assistance, governments can remove our licence to operate, preventing us from providing services to our customers. Our employees who live and work in the country concerned may also be at risk of criminal sanctions, including imprisonment. We therefore have to balance our responsibility to respect our customers’ right to privacy against our legal obligation to respond to the authorities’ lawful demands as well as our duty of care to our employees, recognising throughout our broader responsibilities as a corporate citizen to protect the public and prevent harm.

Law Enforcement Disclosure Report (relatório)

Open SSL MITM

"Don't look now, but it's time to patch OpenSSL again: A critical flaw discovered in the open-source encryption software could allow an attacker to hijack an SSL/TLS session and decrypt and alter the traffic sent between the client and server machines.

The OpenSSL team today released an update that patches the flaw, classified as critical by SANS Internet Storm Center, as well as five other vulnerabilities.

The SSL/TLS man-in-the middle flaw (CVE-2014-0224) centers around a weakness in the "handshake" between client and server in an OpenSSL SSL/TLS session. "I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers," SANS Internet Storm Center head Johannes Ullrich said today in a blog post."

DarkReading

Censo da Internet usando uma botnet

O artigo já é de 2012 mas é engraçado pois usaram uma botnet muito simples para fazer uma espécie de senso da Internet:

While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. 
All data gathered during our research is released into the public domain for further study. 

mapa dos ~460 milhões de endereços IP que responderam a ping

experimentar ataques XSS

Na XSS Game Arena a Google dá seis desafios aos developers para que estes possam ganhar mais conhecimentos em segurança informática. E só superando desafios é que o utilizador ganha acesso a outros quebra-cabeças. Em caso de emergência, a tecnológica dá algumas ajudas para ultrapassar o problema, mais concretamente três por nível.


O mistério TrueCrypt

http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

site do TrueCrypt: http://truecrypt.sourceforge.net

Kali Linux 1.0.7

Kali linux 1.0.7 has just been released, complete with a whole bunch of tool updates, a new kernel, and some cool new features. Check out our changelog for a full list of these items. As usual, you don’t need to re-download or re-install Kali to benefit from these updates – you can update to the latest and greatest using these simple commands: (...)

For quite some time now, we’ve been preaching that Kali Linux is more than a “Linux distribution with a collection of tools in it”. We invest a significant amount of time and resources developing and enabling features in the distribution which we think are useful for penetration testers and other security professionals. These features range from things like “live-build“, which allows our end users to easily customize their own Kali ISOs, to features like Live USB persistence encryption, which provides paranoid users with an extra layer of security. Many of these features are unique to Kali and can be found nowhere else. We’ve started tallying these features and linking them from our Kali documentation page – check it out, it’s growing to be an impressive list!

Direito ao esquecimento

"Uma decisão do Tribunal de Justiça da União Europeia na semana passada — que reconheceu o “direito ao esquecimento” no caso de um cidadão espanhol — provocou uma onda de debates e uma divisão entre Europa e Estados Unidos."

No Público, “Direito ao esquecimento” esquece o quê: privacidade ou liberdade de expressão?

Grande operação da Europol contra o malware BlackShades

excertos do comunicado da Europol:

During two days of operations taking place in 16 countries worldwide, coordinated by Eurojust in The Hague and supported by the European Cybercrime Centre (EC3) at Europol, creators, sellers and users of BlackShades malware were targeted by judicial and law enforcement authorities.

During both action days, 359 house searches were carried out worldwide, and more than 80 people were arrested. Over 1100 data storage devices suspected of being used in illegal activities were seized, including computers, laptops, mobile telephones, routers, external hard drives and USB memory sticks. Substantial quantities of cash, illegal firearms and drugs were also seized.

A recent case in the Netherlands of BlackShades malware being used for criminal purposes was that of an 18-year-old man who infected at least 2000 computers, controlling the victim’s webcams to take pictures of women and girls.

Countries that undertook action against creators, sellers and users of the malware included the Netherlands, Belgium, France, Germany, UK, Finland, Austria, Estonia, Denmark, USA, Canada, Chile, Croatia, Italy, Moldova and Switzerland.

(...)

BlackShades has sold and distributed malicious software (malware) to thousands of individuals throughout the world. BlackShades' flagship product was the BlackShades RAT, a sophisticated piece of malware that enables its users to remotely and surreptitiously gain complete control over a victim's computer. Once installed on a victim's computer, a user of the RAT is free to, among other things, access and view documents, photographs and other files, record all of the keystrokes entered and even activate the webcam on the victim's computer - all of which could be done without the victim's knowledge. BlackShades also makes it possible to carry out large-scale distributed denial-of-service (DDoS) cyber-attacks.

A particularly malicious aspect of this software is the ability to encrypt and deny access to files. BlackShades provides sample letters such as the following for users of the software to modify:

comunicado completo