DARPA Cyber Grand Challenge



Uma grande iniciativa que pode ter um grande impacto no estado da ciber-segurança! Um excerto da explicação:

The ultimate test of wits in computer security occurs through open competition on the global Capture the Flag (CTF) tournament circuit. In CTF contests, experts reverse engineer software, probe its weaknesses, search for deeply hidden flaws, and create securely patched replacements. How hard is this work? The recently discovered Heartbleed flaw in OpenSSL went undiscovered by automation for years before experts found it. The discovery of Heartbleed required the same type of reverse engineering excellence that CTFs are designed to hone.

What if a purpose built supercomputer could compete against the CTF circuit’s greatest experts? Such a computer could scour the billions of lines of code we depend on, find and fix the toughest flaws, upend the economics of computer security, and level the playing field between attackers and defenders.

Over the next two years, innovators worldwide are invited to answer the call of Cyber Grand Challenge. Over a series of competition events, the very first prototype CTF-playing systems will be constructed, competed, and selected.

In 2016, DARPA will hold the world’s first all-computer Capture the Flag tournament live on stage co-located with the DEF CON Conference in Las Vegas where automated systems may take the first steps towards a defensible, connected future.

http://www.cybergrandchallenge.com

Regin: mais uma ciber-arma?

Regin: Top-tier espionage tool enables stealthy surveillance
Symantec

An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.

An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.

It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.

As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.




Relatório PWC sobre estado da segurança

Managing cyber risks in an interconnected world
Key findings from The Global State of Information Security® Survey 2015

partes:

  1. Cyber risks: A severe and present danger
  2. Incidents and financial impacts continue to soar
  3. Employees are the most- cited culprits of incidents
  4. As incidents rise, security spending falls
  5. Declines in fundamental security practices
  6. Gains in select security initiatives
  7. Evolving from security to cyber risk management

Quão identificável é o seu browser?

O meu é :-)

Learn how identifiable you are on the Internet. Help us investigate the diversity of web browsers. By clicking on this button, only anonymous data will be collected and a cookie will be stored in your browser for four months. You can find more details in the Privacy Policy.

tentar em https://amiunique.org

Top problemas de segurança 2014

Um resumo de um ano em cheio. Inclui também uma discussão sobre 2015:

10 top security threats of 2014 (so far)
Zero Day
Summary: The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evils that people do.
A lista:

10. Normal people
9. Cloud disasters
8. Application security, aka blame the "other services"
7. Facebook scams
6. The Drupal boogeyman
5. Apple's rot
4. China
3. Shellshock
2. Mega Retail Breaches
1. 2014's threat theme: White-knuckle flaws in TLS/SSL protocols: Goto Fail, Heartbleed, POODLE, WinShock

A complexidade da segurança de software

A typical, midsized financial organization has a portfolio of over a thousand applications. The largest firms exceed ten thousand applications. Each of these applications, on average, has hundreds of thousands of lines of custom code, and the largest can have over ten million lines. In addition, each application also includes anywhere from dozens to hundreds of software libraries, frameworks, and components that typically total over ten times the size of the custom code. And this portfolio is growing rapidly -- over 20% of these applications have new and updated code each year.

By comparison, consider the US Federal Tax Code, which has also grown dramatically over the years. Currently, the tax code totals just 4.4 million lines of “code” – roughly equivalent to just a handful of applications. As a security researcher I’ve discovered thousands of vulnerabilities in code. But as a former CEO, I’ve also analyzed a ton of legal contracts for loopholes. What’s interesting is that whether I’m scrutinizing software code or reviewing legal language, the analysis is not as different as you might think. Both require a detailed understanding of specialized language and a solid understanding of the underlying business.

So after two decades of high speed coding, a typical large financial organization has a pile of code as large as 2,000 copies of the entire 73,954 pages in the US Federal Tax Code -- almost 10 billion lines of code.

The Staggering Complexity of Application Security
DarkReading