Knox: da Samsung para o Android

Um artigo interessante sobre a tecnologia Knox da Samsung (baseada na Trustzone da arquitectura ARM) ser adoptada pela Google no Android.

Android L Knox integration is essential in the fight against hackers

Google’s decision to integrate Samsung’s Knox security service into Android L is a step in the right direction, but not enough to fully protect the mobile operating system against hackers, who are hitting it with more malware than the firm is willing to admit, according to security experts.

(...)

Code Spaces e os riscos da cloud

O serviço Code Spaces foi liquidado por um atacante que obteve controle da consola de gestão da AWS:

On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers, this happens quite often and we normally overcome them in a way that is transparent to the Code Spaces community. On this occasion however the DDOS was just the start.

An unauthorised person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a hotmail address

Reaching out to the address started a chain of events that revolved arount the person trying to extort a large fee in order to resolve the DDOS.

Upon realisation that somebody had access to our control panel we started to investigate how access had been gained and what access that person had to the data in our systems, it became clear that so far no machine access had been achieved due to the intruder not having our Private Keys.

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel. We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances.

In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.

(...)

Relatório completo no (ex-)site da Code Spaces

Vocabulary for Event Recording and Incident Sharing (VERIS)

The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others. The overall goal is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better measure and manage risk.

VERIS Community
VERIS Community Database (VCDB)

Nokia chantageada

para não revelarem parte do código fonte do Symbian. Não é óbvio se o código foi roubado usando algo classificável como hacking, mas parece o mais óbvio.

Nokia 'paid millions to software blackmailers six years ago'

(Reuters) - Finnish telecoms equipment company Nokia paid several million euros to criminals who threatened to reveal the source code for part of an operating system used in its smartphones some six years ago, Finnish TV station MTV said on Tuesday.

The police confirmed to Reuters that they were investigating a case of alleged blackmail and that the case was still open. Nokia was not immediately available for comment.

"We are investigating felony blackmail, with Nokia the injured party," Detective Chief Inspector Tero Haapala said, but declined to give further details.

MTV said that the blackmailers had acquired the encryption key for a core part of Nokia's Symbian software and threatened to make it public.

notícia completa na Reuters

Synthetic ID Theft

Banca: Nova tendência alarmante no roubo de identidades
Inteligência Económica

"Nova tendência no roubo de identidades. Ao invés de roubarem a identidade de alguém fazendo-se passar por essa pessoa junto das instituições bancárias, os ladrões criam agora meticulosamente identidades falsas (com combinação de dados falsos e reais, ou apenas com informação falsa) para pedir cartões de crédito e empréstimos."

notícia completa

Seguros contra ciber-ataques

Cyberattack Insurance a Challenge for Business
NY Times

(...)

Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker.

Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses.

The main problem is quantifying losses from attacks, because they are often intangible — lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year.

(...)

Total cyberinsurance premiums paid last year reached $1.3 billion, according to Betterley Risk Consultants, a jump from the $1 billion paid in 2012. The bulk of that involves smaller policies issued to small to midsize businesses.

The most coverage a company can hope to acquire, using multiple underwriters, is about $300 million, experts say, significantly less than the billions of dollars’ worth of coverage available in property insurance.

(...)

Relatório da Vodafone sobre escutas legais e privacidade

Interessante:

Our customers have a right to privacy which is enshrined in international human rights law and standards and enacted through national laws. Respecting that right is one of our highest priorities: it is integral to the Vodafone Code of Conduct which everyone who works for us has to follow at all times.

However, in every country in which we operate, we have to abide by the laws of those countries which require us to disclose information about our customers to law enforcement agencies or other government authorities, or to block or restrict access to certain services. Those laws are designed to protect national security and public safety or to prevent or investigate crime and terrorism, and the agencies and authorities that invoke those laws insist that the information demanded from communications operators such as Vodafone is essential to their work.

Refusal to comply with a country’s laws is not an option. If we do not comply with a lawful demand for assistance, governments can remove our licence to operate, preventing us from providing services to our customers. Our employees who live and work in the country concerned may also be at risk of criminal sanctions, including imprisonment. We therefore have to balance our responsibility to respect our customers’ right to privacy against our legal obligation to respond to the authorities’ lawful demands as well as our duty of care to our employees, recognising throughout our broader responsibilities as a corporate citizen to protect the public and prevent harm.

Law Enforcement Disclosure Report (relatório)

Open SSL MITM

"Don't look now, but it's time to patch OpenSSL again: A critical flaw discovered in the open-source encryption software could allow an attacker to hijack an SSL/TLS session and decrypt and alter the traffic sent between the client and server machines.

The OpenSSL team today released an update that patches the flaw, classified as critical by SANS Internet Storm Center, as well as five other vulnerabilities.

The SSL/TLS man-in-the middle flaw (CVE-2014-0224) centers around a weakness in the "handshake" between client and server in an OpenSSL SSL/TLS session. "I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers," SANS Internet Storm Center head Johannes Ullrich said today in a blog post."

DarkReading

Censo da Internet usando uma botnet

O artigo já é de 2012 mas é engraçado pois usaram uma botnet muito simples para fazer uma espécie de senso da Internet:

While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. 
All data gathered during our research is released into the public domain for further study. 

mapa dos ~460 milhões de endereços IP que responderam a ping

experimentar ataques XSS

Na XSS Game Arena a Google dá seis desafios aos developers para que estes possam ganhar mais conhecimentos em segurança informática. E só superando desafios é que o utilizador ganha acesso a outros quebra-cabeças. Em caso de emergência, a tecnológica dá algumas ajudas para ultrapassar o problema, mais concretamente três por nível.