Fraude nas facturas - actualizações

Um post de um blog de 2013 que já referia o programa que perdeu a certificação das finanças e outro post referia outro (e outros são referidos nos comentários dos leitores). A ser verdade o conteúdo do post, o programa tinha um botão para fazer a fraude de forma "user friendly". Outros não têm esse botão e a fraude é feita usando um segundo programa, executado a partir de uma pen.

Reportagem muito interessante da SIC que diz que muitos programas de facturação permitem esse tipo de fraude: Reportagem Especial "Contas Ocultas" no Jornal da Noite

Actualizações à notícia de hoje no site do Expresso e Público

Fraude nas facturas da restauração

Um caso muito interessante que mostra a dificuldade em garantir a segurança de software executado numa máquina que não é de confiança e em certificar software.


Finanças bloqueiam utilização de software de faturação iECR
TekSapo
A comunicação da suspensão da licença emitida pela Autoridade Tributária - e que é necessária para validar a utilização do software de faturação - terá sido feita à empresa iECR na quinta feira passada, dia 24 de Abril, como se pode ler no comunicado colocado no site da empresa.

Recorde-se que as regras implementadas pela Autoridade Tributária (AT) obrigam todas as empresas que faturem acima de 100 mil euros ou emitam mais de mil faturas por ano a utilizar software licenciado, existindo perto de 2 mil certificados emitidos para aplicações.

A notícia hoje avançada pelo Correio da Manhã refere um despacho do secretário de Estado dos Assuntos Fiscais que terá lançado uma "verdadeira caça à evasão fiscal na restauração". O documento a que o TeK teve acesso indica que o software "não cumpre os requisitos de certificação legalmente previstos. No próprio site das Finanças a aplicação aparece já como revogada, com data de 24 de abril.

(...)

Na lista da AT estão indicados como revogados uma dezena de aplicações, que terão em algum momento obtido licença para operar, mas que terá sido depois retirada. No entanto a Assoft (Associação Portuguesa de Software) afirma que este caso da iECR será o primeiro em que a AT se vê obrigada a revogar o certificado, tratando-se os restantes de revogações voluntárias por descontinuidade de versões de aplicações.

(...)

Circulam também na Internet algumas indicações do sistema de fuga ao fisco alegadamente utilizado, que passará pela utilização de um "botão verde" ou "botão mágico" que permitirá suspender a venda sempre que o cliente não pede uma fatura com número de contribuinte, o que se consuma na não declaração dessa mesma venda às autoridades. Mas há outras aplicações que também são referidas neste tipo de esquemas.

(...)


notícia completa no TekSapo

insegurança nos hospitais

It’s Insanely Easy to Hack Hospital Equipment
Wired

(...)

In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.

Erven’s team also found that, in some cases, they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.

“Many hospitals are unaware of the high risk associated with these devices,” Erven says. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”

(...)

Erven, who plans to present some of his findings today at Thotcon in Chicago, began his research after a security consultancy performing a penetration test on an Essentia Health network discovered some devices connected to the network that had security issues. This, combined with previous research done by other security experts showing problems with insulin pumps, defibrillators and hardcoded passwords in medical devices, prompted Essentia to take an extensive look at all of its equipment.

(...)

“A lot of the web services allow unauthenticated or unencrypted communication between the devices, so we’re able to alter the info that gets fed into the medical record … so you would get misdiagnosis or get prescriptions wrong,” he says. “The physician is taught to rely on the information in the medical records … [but] we could alter the data that was feeding from these systems, due to the vulnerabilities we found.”

(...)

Some of the most disturbing problems they found involved infusion pumps, ICDs (implantable cardiovascular defibrillators that deliver shocks to a patient who shows signs of going into cardiac arrest) and CT scans. They found a number of infusion pumps that have a web administration interface for nurses to change drug dosage levels from their workstations. Some of the systems are not password-protected, while others have hardcoded passwords that are weak and universal to all customers.

With the CT scan, they could alter configuration files and change radiation exposure limits that set the amount of radiation patients receive.

Though targeted attacks would be difficult to pull off in most cases they examined, since hackers would need to have additional knowledge about the systems and the patients hooked up to them, Erven says random attacks causing collateral damage would be fairly easy to pull off.

That’s not the case with implantable defibrillators, however, which could be targeted.

“We found a couple of defibrillator vendors that use a Bluetooth stack for writing configurations and doing test shocks [against the patient] when they’re implanted or after surgery,” he says. “They have default and weak passwords to the Bluetooth stack so you can connect to the devices. It’s a simple password like an iPhone PIN that you could guess very quickly.”

A fictional defibrillator attack had a prominent role in an episode of the TV show Homeland in 2012 but the risks of such an attack are real. Physicians for former Vice President Dick Cheney had the wireless capability of his defibrillator disabled in 2007 to prevent terrorists from conducting such an attack to kill him.

Comunicações via satélite vulneráveis

Satellite Communications Wide Open To Hackers
DarkReading

Satellite terminals widely used in transportation, military, and industrial plants contain backdoors, hardcoded credentials, weak encryption algorithms, and other design flaws, a new report says.

Critical design flaws have been discovered in the firmware of popular satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, military operations, industrial facilities, and emergency services.

If just one of these thousands of devices were to be compromised, the entire satellite telecommunications infrastructure could be in danger, according to research published today.

In some cases, an attacker need only send an SMS text message to launch an attack. "You could attack one of these devices with SMS, and trigger features to install new firmware or to compromise it," says Ruben Santamarta, principal security consultant for IOActive, who discovered the security flaws last fall and published a report on his findings today. An SMS from one ship to another could compromise some satellite communications, the report says.

"Attackers who compromise the database of an Inmarsat SIM/Terminals reseller can use this information to remotely compromise all those terminals," he says.

Santamarta dug up numerous design flaws in satellite ground terminal equipment from Harris Corp., Hughes, Thuraya, Cobham, JRC, and Iridium. The flaws include hardcoded credentials, undocumented protocols, insecure protocols, backdoors, and weak password reset features. He reported his findings to the CERT Coordination Center, which in turn alerted the affected vendors in January. But to date, just one vendor -- Iridium -- has responded to the alerts and is working on fixes.

"In most cases, attackers can completely compromise" the system, Santamarta says. "They could run their own code, install malicious firmware... and do anything they want with that device."

An attacker could disrupt satellite communication to a ship or aircraft, he says, potentially wreaking catastrophic damages. "They can spoof messages and trick the ship to follow a certain path, or to rescue another ship. They can disrupt communications... if a vessel can't send a distress signal, that's the worst scenario, if a ship can't communicate."

The same would be true for an airplane, he says. And an attacker would not even need physical access to the satellite equipment to pull off a link hijack or spoof; in many cases, hackers could execute their attacks remotely.

Santamarta found the flaws after downloading and reverse engineering the firmware for the systems. "I wasn't looking for memory or buffer overflow or other typical vulnerabilities. But design flaws [found] like backdoors or [weak] protocols are in a way more dangerous because you can reach the device" by using them.



Active Directory

Active Directory Is Dead: 3 Reasons
Dark Reading

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

Ninety-five percent of Fortune 500 companies use Active Directory, a 1990s technology, because their infrastructures are based on a 90s network architecture of on-premises PCs, applications, servers, and tools. But look around. Today’s hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr -- just snort, and say, “The 90s called, and they want their infrastructure back.”

Full disclosure: I am the CEO and Founder of OneLogin, a cloud-basedidentity and access management company. Active Directory integration is one of our focus areas. And though I have other fond memories of the 90s -- Nirvana, X-Files, Hale-Bopp -- Active Directory isn’t one of them. These days, Active Directory smells gangrenous to innovative companies that were born in the cloud and operate at light speed interconnecting customers, employees, and partners across an array of devices and time zones.

Before laughing off the death of Active Directory, remember we also never imagined that Apple would one day have a bigger market capitalization than IBM, or Google would be nine times more valuable than General Motors. Today’s 30-person company is positioning itself to be tomorrow’s 1,500-person company.

Why am I predicting the death of Active Directory?

(...)

Tails: Linux com privacidade

When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. But this month, we learned that Snowden used another technology to keep his communications out of the NSA’s prying eyes. It’s called Tails. And naturally, nobody knows exactly who created it.

Tails is a kind of computer-in-a-box. You install it on a DVD or USB drive, boot up the computer from the drive and, voila, you’re pretty close to anonymous on the internet. At its heart, Tails is a version of the Linux operating system optimized for anonymity. It comes with several privacy and encryption tools, most notably Tor, an application that anonymizes a user’s internet traffic by routing it through a network of computers run by volunteers around the world.

artigo completo: 

Heartbleed explicado

por palavras no blog da McAffee

por imagens:



com agradecimentos ao João Garcia e ao João Barreto

Vulnerabilidade no OpenSSL permite escutar tráfego

Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

Artigo completo:
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping - ArsTechnica

um hacker de 5 anos

ciber-ataques fazem crescer o emprego

Increase in Cyber Attacks Leads to Jobs Boom
BBC News, March 25

As the number and sophistication of cyber attacks increase, so too does the demand for people who can prevent such attacks. As a result, cybersecurity is having a jobs boom. But there aren't enough people with the necessary skills to become the next generation of cyber professionals. According to the most recent U.S. Bureau of Labor statistics, demand for graduate-level information security workers will rise by 37% in the next decade, more than twice the predicted rate of increase for the overall computer industry. In response, private sector firms and governments have been hurrying to work with universities to fill the gap. This includes an ambitious project by IBM to create a partnership of 200 universities to produce the missing expertise.