Netflix publica duas ferramentas de segurança


do blog do Netflix:

Announcing Scumblr and Sketchy - Search, Screenshot, and Reclaim the Internet
Netflix is pleased to announce the open source release of two security-related web applications: Scumblr and Sketchy!

Many security teams need to stay on the lookout for Internet-based discussions, posts, and other bits that may be of impact to the organizations they are protecting. These teams then take a variety of actions based on the nature of the findings discovered. Netflix’s security team has these same requirements, and today we’re releasing some of the tools that help us in these efforts.

(...)

Scumblr is a Ruby on Rails web application that allows searching the Internet for sites and content of interest. Scumblr includes a set of built-in libraries that allow creating searches for common sites like Google, Facebook, and Twitter. For other sites, it is easy to create plugins to perform targeted searches and return results. Once you have Scumblr setup, you can run the searches manually or automatically on a recurring basis.

One of the features we wanted to see in Scumblr was the ability to collect screenshots and text content from potentially malicious sites - this allows security analysts to preview Scumblr results without the risk of visiting the site directly. We wanted this collection system to be isolated from Scumblr and also resilient to sites that may perform malicious actions. We also decided it would be nice to build an API that we could use in other applications outside of Scumblr. Although a variety of tools and frameworks exist for taking screenshots, we discovered a number of edge cases that made taking reliable screenshots difficult - capturing screenshots from AJAX-heavy sites, cut-off images with virtual X drivers, and SSL and compression issues in the PhantomJS driver for Selenium, to name a few. In order to solve these challenges, we decided to leverage the best possible tools and create an API framework that would allow for reliable, scalable, and easy to use screenshot and text scraping capabilities. Sketchy to the rescue!

(...)

Ataque de piratas informáticos chineses a grupo hospitalar americano rouba dados de 4.5 milhões de pacientes

Apesar de não terem sido roubados dados médicos, é mais uma evidência que as vulnerabilidades existem e que as unidades de saúde têm de proteger muito bem a sua informação.

O grupo hospitalar em questão é composto por 206 hospitais em 29 estados.

artigo completo

Problemas do PGP

Um post muito interessante do Matthew Green sobre os problemas do PGP. Alguns excertos:

What's the matter with PGP?

(...)

As transparent and user-friendly as the new email extensions are, they're fundamentally just re-implementations of OpenPGP -- and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it's a model of email encryption that's fundamentally broken.

It's time for PGP to die.

In the remainder of this post I'm going to explain why this is so, what it means for the future of email encryption, and some of the things we should do about it. Nothing I'm going to say here will surprise anyone who's familiar with the technology -- in fact, this will barely be a technical post. That's because, fundamentally, most of the problems with email encryption aren't hyper-technical problems. They're still baked into the cake.

(...)

(...)

So what should we be doing?

Quite a lot actually. The path to a proper encrypted email system isn't that far off. At minimum, any real solution needs:


  • A proper approach to key management. This could be anything from centralized key management as in Apple's iMessage -- which would still be better than nothing -- to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.
  • Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system. 
  • Cryptography that post-dates the Fresh Prince. Enough said.
  • Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.


(...)

artigo completo

network injection appliances

You Can Get Hacked Just By Watching This Cat Video on YouTube
By Morgan Marquis-Boire
The Intercept

Many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites. People also think that the NSA and its international partners are the only ones who have turned the internet into a militarized zone. But according to research I am releasing today at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, many of these commonly held beliefs are not necessarily true. The only thing you need to do to render your computer’s secrets—your private conversations, banking information, photographs—transparent to prying eyes is watch a cute cat video on YouTube, and catch the interest of a nation-state or law enforcement agency that has $1 million or so to spare.

To understand why, you have to realize that even in today’s increasingly security-conscious internet, much of the traffic is still unencrypted. You might be surprised to learn that even popular sites that advertise their use of encryption frequently still serve some unencrypted content or advertisements. While people now recognize that unencrypted traffic can be monitored, they may not recognize that it also serves as a direct path into compromising their computers.

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge. The machine also exploits Microsoft’slogin.live.com web site in the same manner.

(...)

artigo completo

512k day

Um problema de confiabilidade, não de segurança:

512k day is the unofficial title of an event that started on August 12, 2014. Multiple Internet routers, manufactured by Cisco and other vendors, encountered a default software limit of 512K (512,000 - 524,288)[1][2] IPv4 BGP routing table entries, causing assorted outages at various data centers. Various IT professionals reported the issue on Internet forums, sometimes as just "512k", and under a Twitter hashtag of #512k.

fonte: wikipedia

Car hacking


How Hackable Is Your Car? Consult This Handy Chart
Wired


"(...) In a talk today at the Black Hat security conference in Las Vegas—and anaccompanying 92-page paper—Valasek and Miller will present the results of a broad analysis of dozens of different car makes and models, assessing the vehicles’ schematics for the signs that hint at vulnerabilities to auto-focused hackers. The result is a kind of handbook of ratings and reviews of automobiles for the potential hackability of their networked components. “For 24 different cars, we examined how a remote attack might work,” says Valasek, director of vehicle security research at the security consultancy IOActive. “It really depends on the architecture: If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?” (...)"