Em busca da backdoor perfeita

do Bruce Schneier:

"Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement.

The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is a single line of code: a second "goto fail;" statement. Since that statement isn't a conditional, it causes the whole procedure to terminate.

The flaw is subtle, and hard to spot while scanning the code. It's easy to imagine how this could have happened by error. And it would have been trivially easy for one person to add the vulnerability.

Was this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.

Malware via ads do YouTube

The Wild Wild Web: YouTube ads serving malware
fonte: Bromium Labs

There’s never a dull moment in the security industry, just as we heard about the latest IE 0day; one of our field security engineers in the Americas stumbled upon a YouTube link that was hosting malware. The vulnerability is not in YouTube as such, but the ad-network seems to be the culprit in this case. We’re working with Google security team to get to the bottom of this, in the meantime some quick details about the infection below.

- Classic drive-by download attack, infects the user by exploiting client software vulnerabilities.

- The ad network was discovered to be hosting the Styx exploit kit. This exploit kit was recently in the news for compromising at hasbro.com. Well, the attackers seem to have upped their target this time by somehow getting into YouTube ads.

- The exploit leveraged in this was a Java exploit.

- The Trojan appears to be a Banking Trojan belonging to the Caphaw family.

- The outbound CnC went out to Europe in this infection, where the server is likely to be hosted. It uses a DGA (Domain Generation Algorithm) for CnC, we’re still digging into the various IP addresses leveraged.

artigo completo nos Bromium Labs

DDoS recorde com NTP

"DDoS Attack Hits 400 Gbit/s, Breaks Record - A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year's attack against Spamhaus"

Fonte: Dark Reading

CNPD e C3Priv

"O Centro de Competências em Cibersegurança e Privacidade (C3Priv) da Universidade do Porto desenvolveu para a Comissão Nacional de Protecção de Dados (CNPD), no âmbito de uma parceria entre as duas entidades, o projeto de uma Pen USB contendo várias aplicações configuradas para devolver ao utilizador um maior controlo da sua privacidade quando navega na Internet, ao mesmo tempo que lhe oferece a portabilidade dessa proteção quando precisa de aceder à Net a partir de um computador que não é o seu."

fonte: C3Priv

baseado em PortableApps.com

The Mask: nova super "APT"

Washington Post, Guardian links used to infect The Mask malware victims

Kaspersky Lab security research team just released details about "The Mask" (aka Careto) cyber-espionage malware, calling it "one of the most advanced threats at the moment" at the 2014 Kaspersky Security Analyst Summit.

Researchers told attendees The Mask is an extremely sophisticated nation-state spying tool and believe it to have been in operation since 2007.

IOC information has been included in Kaspersky's detailed technical research paper.

Like Flame, another Kaspersky discovery, Careto is a uniquely powerful and refined cyber-espionage operation comprised of modular tools.

The malware's primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research institutions, private equity firms and high-profile activists.

Its victims are exploited by phishing emails linking to tainted subdomains simulating subsections of the Washington Post, Guardian, and YouTube, among others.

The Mask collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files.

There are also several unknown extensions being monitored that Kaspersky has not been able to identify and said "could be related to custom military/government-level encryption tools."

In their explosive presentation "A Glimpse Behind The Mask" Kaspersky Lab's Russian researchers Costin Raiu, Vitaly Kamluk and Igor Soumenkov explained that the complexity and universality of the toolset used by the attackers behind "The Mask" earns the malware a place in history.
notícia completa

DNS hijacking via router wireless

Large-scale DNS redirection on home routers for financial theft

In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on… iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware targeting the platform, and at the same time it targeted Polish e-banking users, it immediately attracted our attention. Internally we have come up with several scenarios of how it might have happened, but unfortunately were not able to gather enough first-hand data about the case to rule out any options.

The key to the riddle was in recent reports about vulnerabilities in home routers allowing attackers to remotely modify their configuration. After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all. How was the webpage content altered, then?

7 pecados capitais da segurança de software

The 7 Deadly Sins of Application Security

How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.

The kneejerk approach to application security is to start finding and fixing vulnerabilities. The problem with these reactive programs is that they end up being expensive witch-hunts that don’t change the way code is built. Instead, we need to think of those vulnerabilities as symptoms of a deeper problem that lies somewhere in the software development organization.

Over the past 15 years, I’ve worked with a variety of organizations, both large and small, to improve their application security capabilities. One thing I’ve noticed is that two organizations with the exact same application security activities can have wildly different results over time. One organization will improve, steadily stamping out entire classes of vulnerabilities. The other will continue to find the same problems year after year.

The difference is culture. In some organizations, security is an important concern that is considered a part of every decision. In others, security is considered a productivity killer and a waste of time. These "culture killers" will, most certainly, undermine and destroy your application security program. Let’s take a look at the seven most deadly security sins...

a lista dos 7 no artigo original

(com agradecimentos à Ibéria Medeiros)

Como perder 40 milhões de cartões de crédito

Segundo Brian Krebs, o ataque à Target no qual foram roubados 40 milhões de registos de cartões de pagamento foi feito através da rede de um fornecedor. Uma segunda empresa tinha uma ligação à rede da Target e autenticação fraca, o que permitiu aos atacantes entrar na rede. A rede da Target não estava segregada de modo que o acesso permitiu chegar aos dados sem dificuldades...

excerto do artigo Did the crooks who broke into Target tailgate the cleaners? (Naked Security):

Rather casually oversimplified, the crooks tailgated the cleaners.

Actually, that wasn't what happened - neither literally, of course, because the crooks did their dirty work remotely; nor figuratively, because it was supposedly an HVAC company (heating, ventilation and air conditioning), not a cleaning company.

Nevertheless, it was tailgating of a sort, and it might well be a slip-up that could happen in your own organisation.

Having said that, my first thought, on reading Brian's piece, was that his explanation sounded preposterous.

Why would someone who maintains your aircon need remote access to your network?

Emergency access to the server room, perhaps, to tweak the settings on the plant itself if there's a snowstorm (or a heatwave) between Christmas and New Year.

But remote access to your whole corporate network?

It turns out, however, that heating and cooling in retail stores aren't just important services: they're as vital to opening for business, and taking money off customers, as your cash registers.

More vital, perhaps: if your cash registers are offline at 2am when no-one is shopping, you won't lose any sales, but if your air conditioning gets out of whack overnight, you might not be able to admit customers to your store at all in the morning.

Apparently, therefore, many HVAC companies have remote access to retail company networks in order to keep their eye out for heating and cooling problems.

That needn't be a recipe for disaster, but in Target's case, it sounds as though:

The third-party company wasn't required to use any sort of two factor authentication.
The network used by the third-party company and the network used for retail payments weren't segregated.

Chips que se auto-destroem

Um projecto recente da DARPA: "The Vanishing Programmable Resources (VAPR) program seeks electronic systems capable of physically disappearing in a controlled, triggerable manner. These transient electronics should have performance comparable to commercial-off-the-shelf electronics, but with limited device persistence that can be programmed, adjusted in real-time, triggered, and/or be sensitive to the deployment environment."

Pry-Fi - privacidade para Android

Recentemente soube-se de um programa canadiano para espiar os movimentos de visitantes usando wifi: CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents

Agora apareceu uma App para Android -- Pry-Fi -- que supostamente evita esses ataques. A App parece algo estranha e requer que o telemóvel esteja "rooted", mas se alguém quiser experimentar agradeço comentários:


One solution is shutting off Wi-Fi completely (including the background network scanning, a setting most people don't know about), but you would lose benefits like automatically connecting to known Wi-Fi networks and improved location awareness for your apps. It also does nothing to help the situation for others.

Pry-Fi will prevent your device from announcing all the networks it knows to the outside world, but it will still allow background scanning and automatically connecting to Wi-Fi networks. While you are not connected to a Wi-Fi network, the MAC address will constantly be pseudo-randomized, following a pattern that still makes the trackers think you are a real person, but they will not encounter your MAC address again. This will slowly poison their tracking database with useless information.
When you do connect to a Wi-Fi network, unless you specify otherwise, your MAC address will also be randomized - the same MAC address will not be used the next time you connect to this or any other network.


This is proof-of-concept code, and how for it will go in the future depends on interest and how well it works. It has been tested on several devices and seems to work, but it is very young still. The magic the app does to achieve its purpose is ever subject to changing Android security policies and OEM customizations, so even though it works now, there really is no saying if it will still be possible in future firmwares.

Of course you should also keep in mind that tracking can be done in many ways, and these W-Fi signals are far from the only method in use.


Further details, device compatibility information, FAQ, discussion, etc is all available on XDA-Developers.com here: