Wordpress security

Uma checklist sobre segurança de Wordpress:

WordPress Security Checklist: 30 Action-Items

Software de espionagem da Hacking Team

SECRET MANUALS SHOW THE SPYWARE SOLD TO DESPOTS AND COPS WORLDWIDE
BY CORA CURRIER AND MORGAN MARQUIS-BOIRE

The Intercept

When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”

The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.

(...)

Artigo completo


Epidemia... de roubo de dados médicos

Naked Security - Sophos

We're all sick of data breaches and privacy intrusions, with just about every new day bringing new stories of shops, banks and restaurants leaking epic amounts of customer information and celebrities having their intimate snapsspread around the internet.

Obscured by these headline-grabbing big-name leaks, a rash of smaller-scale breaches has been leaking a steady stream of data every bit as valuable as our card numbers and every bit as intimately private as our most graphic selfies. (...)

In just the last few weeks, some of those "smaller" breaches include:

Segurança Informática no Facebook


O blog está agora disponível via Facebook: https://www.facebook.com/seginfportugal . Todos os posts são directamente lá colocados.

Energia negra

Uma variante do malware BlackEnergy está a infectar inúmeros sistemas industriais / infraestruturas críticas:
ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).
ICS-CERT originally published information and technical indicators about this campaign in a TLP Amber alert (ICS-ALERT-14-281-01P) that was released to the US-CERT secure portala on October 8, 2014, and updated on October 17, 2014.

mais informação:
Alert (ICS-ALERT-14-281-01A)
Ongoing Sophisticated Malware Campaign Compromising ICS (Update A)

As faces dos hackers actuais

Muito interessante:

Infographic: The Many Faces of Today’s Hackers
DarkReading

As part of National Cyber Security Awareness Month, Narus, a cyber security data analytics company, developed an infographic to give organizations a better understanding of today’s hackers -- from the general types of hackers that enterprises often face to the types of attacks they’re most likely to deploy. No enterprise can guarantee 100% security across all parts of the business. There are too many gaps at the perimeter, and sadly hackers have all the time they need to work around defenses and exploit these gaps.

Sandworm

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th – CVE-2014-4114.

Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

Visible Targets
Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.

NATO

  • Ukrainian government organizations
  • Western European government organization
  • Energy Sector firms (specifically in Poland)
  • European telecommunications firms
  • United States academic organization

- See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.n43KudAG.dpuf

(...)

artigo completo

Poodle

"Poodle é uma vulnerabilidade de segurança inerente ao protocolo SSLv3 que é usado esconder (cifrar) ligações na web. O protocolo tem sido regularmente substituído pela família TLS que é suportada em praticamente todos os browsers."

Sítios da banca e administração pública vulneráveis a ataques com Poodle


Content security policies e cross-site scripting

Um artigo interessante sobre o uso de content security policies (candidato a standard do W3C) para proteger sites de cross-site scripting. Na realidade o mecanismo também permite proteger de mais um ou outro tipo de ataque, como de pode ver no documento do W3C.

artigo: Generating Content-Security-Policies, the easy way.


Tyupkin: malware para roubar dinheiro de caixas ATM

O curioso é ser necessário o acesso físico ao hardware da máquina. Tendo esse acesso, seria natural que o ataque consistisse em roubar o dinheiro directamente. No entanto, o objectivo é outro: permitir voltar mais tarde e roubar dinheiro, possivelmente várias vezes.

Tyupkin: Manipulating ATM Machines with Malware
Kaspersky

(...)

This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk
After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AptraDebug" = "C:\Windows\system32\ulssm.exe"
The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

XXXXXX – Shows the main window.
XXXXXX – Self deletes with a batch file.
XXXXXX – Increases the malware activity period.
XXXXXX – Hides the main window.
After every command the operator must press "Enter" on the ATM's pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.
When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

(...)





BadUSB

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.