Top data breaches 2015

começam os top 10's de 2015:

Biggest data breaches of 2015

"From Ashley Madison to VTech it has been a nasty data breach year"

Lições de segurança de um filme do 007

Ontem fui ver o “Sepctre”, o novo filme da série 007. Fantástico como sempre. 

Na série o agente 007 quase sempre lutou contra as ameaças da época (guerra fria, ameaça nuclear, pós-guerra fria, terrorismo, barões da droga, etc.). Este não é excepção. O tema é o perigo da espionagem generalizada e de os dados recolhidos caírem nas mãos de organizações criminosas (a Spectre no filme). 

Do filme é possível extrair uma série de lições sobre segurança (informática):

- Cuidado com os dados. Se alguma organização (9 Eyes no filme) recolhe quantidades enormes de dados o perigo não é (apenas) ela própria, mas também organizações criminosas (Sepctre no filme) que lhes possam deitar a mão.

- Ainda a ameaça interna. No filme um membro dos 9 Eyes - o C - ia dar intencionalmente à Spectre acesso aos dados.

- Atenção às credenciais de autenticação. Um organização criminosa que deseja dominar o mundo deixa o 007 entrar numa reunião super-secreta autenticando-se apenas com um nome (Rato Mickey) e um token (um anel com um polvo desenhado)…

- Privacidade vs dados de localização. No filme o mau (Blofeld) tinha um telefone via satélite que permitiu a Mr. White e ao James Bond localizar as suas instalações super-secretas. Má ideia…

- Cuidado com a reutilização de segredos. No filme o anel com o polvo passou pelas mãos dos criminosos dos últimos filmes da série e todos deixaram o seu ADN…


- Defesa em profundidade é importante, mas manter o adversário fora do perímetro ainda é melhor. Como em tantos filmes da série, os maus deixam o James Bond entrar nas suas instalações antes de o liquidarem. Este não é excepção e os resultados são maus como habitual. Moral da história: os adversários são perigosos, logo é melhor mantê-los fora das muralhas.

Relato sobre o CCS 2015



A 22ª edição da ACM Conference on Computer and Communications Security (CCS 2015) decorreu em Denver dentre os dias 12 e 16 de Outubro de 2015. Cerca de 670 pessoas participaram no evento, o qual foi composto por 12 sessões técnicas, 10 workshops, 3 tutoriais e 28 pósteres/demos. Foram recebidas 660 submissões de artigos, dos quais 128 foram aceites (resultando numa taxa de aceitação de 19.4%).

Antes de apresentarmos algumas notas sobre o CCS 2015, sugerimos uma rápida consulta ao programa e aos proceedings do evento a fim de localizar os artigos que mais lhe interessam. Seguem abaixo alguns destaques desta edição:

### Oradores convidados:
- A primeira keynote foi apresentada pelo Dr. Edward Felten (Deputy U.S. Chief Technology Officer) e tratou sobre a relação atual entre o governo e os investigadores da área da segurança. O principal foco foi apresentar os pontos prioritários para a segurança da computação e comunicação no governo americano e chamar a atenção para a importância de os investigadores participarem nas tomadas de decisão e de se envolverem com o governo dos seus países.
- A keynote do segundo dia foi apresentada pelo Dr. Moti Yung (Google Inc. & Columbia Univ.) sobre a importância de aproximar o lado teórico da investigação em segurança ao lado prático da investigação em sistemas. 

### Principais tópicos
Os artigos apresentados no CCS englobam um amplo espetro de tópicos. Segue uma lista com alguns destes (e exemplos de artigos) que foram mais discutidos durante o evento:

- Ataques à segurança de sistemas e protocolos (e.g., Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice)
- Computação sobre dados cifrados (e.g., Inference Attacks on Property-Preserving Encrypted Databases)
- Criptomoedas (e.g., Micropayments for Decentralized Currencies)
- Terceirização segura e eficiente de armazenamento (e.g., Secure Deduplication of Encrypted Data without Additional Independent Servers)
- Privacidade diferencial e estatística (e.g., Privacy-Preserving Deep Learning)
- Censura e resistência (e.g., CacheBrowser: Bypassing Chinese Censorship without Proxies Using Cached Content)
- Segurança e privacidade em dispositivos móveis (e.g., Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS)
- Privacidade em redes sociais (e.g., Face/Off: Preventing Privacy Leakage From Photos in Social Networks)

### Notas CCS 2015:
Seguem abaixo as notas de alguns artigos apresentados no CCS 2015:

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
Os autores apresentam uma vulnerabilidade no TLS (chamada Logjam) que permite reduzir os requisitos de segurança no protocolo Diffie-Hellman através de ataques do tipo man-in-the-middle. Foi considerado um dos 3 melhores artigos do CCS 2015 (best-paper award). Recebeu 3 dos 10 "strong accept" atribuídos ao longo de todo o processo de revisão dos artigos. Mais informações em: https://weakdh.org/

Inference Attacks on Property-Preserving Encrypted Databases
O artigo apresenta alguns ataques capazes de inferir o conteúdo de colunas de uma base de dados cifrada (property-preserving). Um detalhe interessante sobre o artigo é que este recebeu uma resposta pública antes mesmo de ser apresentado no evento. Os responsáveis pelo CryptDB alegaram que os autores deste artigo não seguiram as boas práticas de configuração da base de dados e por isso tiveram sucesso nos ataques apresentados. Resta então ler os dois documentos para tirar conclusões.

UCognito: Private Browsing without Tears
O artigo discute algumas limitações e falhas nas implementações de navegação privada (private browsing) dos browsers atuais. Basicamente os vários browsers diferem na semântica de navegação privada e nas garantias que fornecem. Os autores do artigo apresentam uma solução para contornar as referidas limitações.

Micropayments for Decentralized Currencies
O artigo trata dos custos elevados das transacções electrónicas e apresenta formas alternativas para micro pagamentos. O Bitcoin Lightning Network (https://lightning.network/) foi apontado pela audiência como uma outra solução relacionada.

### Notas WPES 2015:
Seguem abaixo as notas de alguns artigos do WPES 2015 (Workshop on Privacy in the Eletronic Society):

Known Unknowns: An Analysis of Twitter Censorship in Turkey
Este artigo analisou os relatórios de transparência do Twitter sobre tweets e contas censuradas a pedido de diversos governos. Os autores identificaram uma discrepância significativa entre os resultados apresentados nos relatórios e os números calculados como sendo reais.

Rook: Using Video Games as a Low-Bandwidth Censorship Resistant Communication Platform
Este artigo apresentou uma solução que utiliza videojogos para ultrapassar barreiras de censura. São utilizadas técnicas de estenografia nos pacotes de dados dos jogos de forma a que estes transmitam mensagens sem serem detetadas.

Privately (and Unlinkably) Exchanging Messages Using a Public Bulletin Board
Este artigo propôs um protocolo de comunicação unidirecional que utiliza um quadro de avisos público como meio de comunicação privado, onde não é possível identificar as pessoas envolvidas na conversa.

A High-Throughput Method to Detect Privacy-Sensitive Human Genomic Data
Este artigo propôs um método de alto desempenho para detetar sequências genómicas sensíveis à privacidade. Tal técnica permite, por exemplo, aplicar premissas fortes de segurança à parte do genoma humano sensível à privacidade, aplicando um esforço viável à parte do genoma menos sensível. Este foi o único trabalho apresentado no evento que envolveu universidades portuguesas.

### Prémios ACM:
A ACM SIGSAC possui 2 prémios que são atribuídos anualmente durante o CCS. Neste ano, Ross Anderson (autor do famos artigo "Why Cryptosystems Fail") foi premiado na categoria inovação (Outstanding Innovation Award) e Steve Lipner foi premiado na categoria contribuição (Outstanding Contribution Award).
### CCS 2016:
Em 2016, o CCS será realizado em Viena e será organizado pelo centro de investigação SBA. A chamada de trabalhos será publicada nos próximos meses e o deadline das submissões ocorrerá provavelmente entre Abril e Maio de 2016. O vencedor do prémio de inovação da ACM SIGSAC em 2015, Ross Anderson, será um dos oradores convidados.

Deixe a sua opinião, nos comentários abaixo, sobre outros artigos que valem a leitura e mereçam ser mencionados.

Vinícius Cogo

SHA-1: "don't panic, but prepare for a future panic"

É assim que o B. Schneier resume o novo resultado:

Especially note this bit: "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." In other words: don't panic, but prepare for a future panic.

This is not that unexpected. We've long known that SHA-1 is broken, at least theoretically. All the major browsers are planning to stop accepting SHA-1 signatures by 2017. Microsoft is retiring it on that same schedule. What's news is that our previous estimates may be too conservative.


Tolerância a intrusões e diversidade na prática


Navy Diversifies Ships' Cyber Systems to Foil Hackers
IEEE Spectrum online

Cyber attacks could prove just as deadly to technologically advanced warships as missiles and torpedoes in the future. That is why the U.S. Navy has been developing a defense system to protect its ships against hackers who threaten to disable or take control of critical shipboard systems.


The Resilient Hull, Mechanical, and Electrical Security (RHIMES) system aims to prevent cyber attackers from compromising the programmable logic controllers that connect a ship’s computers with onboard physical systems. RHIMES uses slightly different versions of core programming for each physical controller so that a cyber attack can’t disable or take over all shipboard systems in one fell swoop.

“In the event of a cyber attack, RHIMES makes it so that a different hack is required to exploit each controller,” said Ryan Craven, a program officer of the Cyber Security and Complex Software Systems Program in the Office of Naval Research, in a press release.“The same exact exploit can’t be used against more than one controller.”
(...)

SYNful Knock: backdoor para routers

Mais desenvolvimentos sobre a backdoor SYNful Knock para routers Cisco. Vários routers com a backdoor foram descobertos pelo mundo fora:


Malicious Cisco router backdoor found on 79 more devices, 25 in the US

The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor.

That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.

satlink hijacking

It's Turla Hackers | Satellite Turla Still Alive And Hiding In The Sky

Law enforcement agencies, with the help of leading IT security providers, are keen on blocking all the malware Command & Control servers they find. Sometimes, they efficiently shut down massive botnets by putting their controlling structure out of business. But one of the most advanced threat actors is still out there.

One of the reasons for Turla’s success, besides the group’s obvious professionalism, is their ability to hide the ends – namely, the above-mentioned C&Cs. Research by Kaspersky Lab experts reveals that they’re achieving this using a trick known as satlink hijacking – a technique this Russian-speaking group has been using since 2007. It involves exploiting the vulnerability of asynchronous satellite internet connections to sniff traffic, distilling the IP addresses of satellite subscribers. All the attackers need then is to set up their servers with the same IPs, configure these addresses into their malware and, after a successful infection, wait for its call for C&C.

artigo original

81% de responsáveis TI da saúde admitem que já ocorreram intrusões - estudo KPMG



"Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG.

The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said.

The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans."

...

Artigo completo
Computerworld

(com agradecimentos ao Nuno Miguel Neves)

brinquedos da NSA para todos


"When Der Spiegel and Jacob Appelbaum published leaked pages of the National Security Agency's ANT Catalog—the collection of tools and software created for NSA's Tailored Access Operations (TAO) division—it triggered shock, awe, and a range of other emotions around the world. Among some hardware hackers and security researchers, it triggered something else, too—a desire to replicate the capabilities of TAO's toolbox to conduct research on how the same approaches might be used by other adversaries.

In less than 18 months since the catalog's leak, the NSA Playset project has done just that. The collection boasts over a dozen devices that put the power of the NSA's TAO into the hands of researchers. Project creator Michael Ossmann—a security researcher, radio frequency hardware engineer, and founder of Great Scott Gadgets—detailed the tools at a presentation during the Black Hat conference in Las Vegas last week, and he talked with Ars more about it this past weekend at DEF CON 23.

Many of the software components of the 50-page ANT catalog were things that had already been developed by security researchers. Some of the discovered capabilities appeared to stem from off-the-shelf hardware (or its equivalent) and software similar to existing tools; they were simply combined in a package suitable for spy work. But other pieces of hardware in the NSA's catalog appeared to have no openly available equivalent—such as wireless bugs planted in computer cables or connectors. Some of those bugs were radio "retro-reflectors," wiretaps that only broadcast data when hit by a directed radio signal. (It's similar in concept to "The Thing"—the infamous bug Soviet spies planted inside the US Embassy in Moscow.)"

...

artigo completo na ArsTechnica

Threat Vector e ciber-guerra

Os últimos livros do Tom Clancy com o Jack Ryan Jr. andavam aborrecidos de modo que ainda não tinha lido os mais recentes. Li agora o Threat Vector e foi uma boa surpresa. O livro anda à volta de um cenário de ciber-guerra entre a China e os EUA que me parece muito bem pensado. O cenário considera uma hipotética superioridade chinesa, fundamentada em casos recentes reais, como o Shady Rat, mas que teria tendência a desaparecer a curto-médio prazo. Refere diversos ataques e respostas concretos que parecem realistas… sem esquecer que se trata de ficção, claro. Recomendo.

TLS: recomendações e vulnerabilidade Logjam

Acabam de sair recomendações do IETF sobre o TLS: RFC 725

   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS) are widely used to protect data exchanged over application
   protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP.  Over the
   last few years, several serious attacks on TLS have emerged,
   including attacks on its most commonly used cipher suites and their
   modes of operation.  This document provides recommendations for
   improving the security of deployed services that use TLS and DTLS.
   The recommendations are applicable to the majority of use cases.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.  General Recommendations . . . . . . . . . . . . . . . . . . .   5
     3.1.  Protocol Versions . . . . . . . . . . . . . . . . . . . .   5
       3.1.1.  SSL/TLS Protocol Versions . . . . . . . . . . . . . .   5
       3.1.2.  DTLS Protocol Versions  . . . . . . . . . . . . . . .   6
       3.1.3.  Fallback to Lower Versions  . . . . . . . . . . . . .   7
     3.2.  Strict TLS  . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Compression . . . . . . . . . . . . . . . . . . . . . . .   8
     3.4.  TLS Session Resumption  . . . . . . . . . . . . . . . . .   8
     3.5.  TLS Renegotiation . . . . . . . . . . . . . . . . . . . .   9
     3.6.  Server Name Indication  . . . . . . . . . . . . . . . . .   9
   4.  Recommendations: Cipher Suites  . . . . . . . . . . . . . . .   9
     4.1.  General Guidelines  . . . . . . . . . . . . . . . . . . .   9
     4.2.  Recommended Cipher Suites . . . . . . . . . . . . . . . .  11
       4.2.1.  Implementation Details  . . . . . . . . . . . . . . .  12
     4.3.  Public Key Length . . . . . . . . . . . . . . . . . . . .  12
     4.4.  Modular Exponential vs. Elliptic Curve DH Cipher Suites .  13
     4.5.  Truncated HMAC  . . . . . . . . . . . . . . . . . . . . .  14
   5.  Applicability Statement . . . . . . . . . . . . . . . . . . .  15
     5.1.  Security Services . . . . . . . . . . . . . . . . . . . .  15
     5.2.  Opportunistic Security  . . . . . . . . . . . . . . . . .  16
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  17
     6.1.  Host Name Validation  . . . . . . . . . . . . . . . . . .  17
     6.2.  AES-GCM . . . . . . . . . . . . . . . . . . . . . . . . .  18
     6.3.  Forward Secrecy . . . . . . . . . . . . . . . . . . . . .  18
     6.4.  Diffie-Hellman Exponent Reuse . . . . . . . . . . . . . .  19
     6.5.  Certificate Revocation  . . . . . . . . . . . . . . . . .  19
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  21
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  21
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  22
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  26
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  27


Apareceu também um artigo sobre uma nova vulnerabilidade no TLS: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

plane hacking

"Breaking: The security researcher was able to issue a climb command and make the plane change course, the document states." E isto vindo de uma indústria que sempre levou muito a sério a segurança (safety) :-(

Feds Say That Banned Researcher Commandeered a Plane - Wired.com

Ciber-ataques ao vivo

A Check Point criou um mapa que permite visualizar os ataques que os seus sensores estão a observar em cada momento: https://www.threat-cloud.com/ThreatPortal/#/map

"O Mapa tem por base a inteligência da solução ThreatCloudTM, a maior rede de colaboração da indústria, para lutar contra o cibercrime, que proporciona dados sobre ameaças e tendências de ataques através de uma rede mundial de sensores dedicados. A base de dados da Threatcloud conta com mais de 250 milhões de endereços analisados para a descoberta de bots, mais de 11 milhões de assinaturas de malware e mais de 5,5 milhões de websites infectados, permitindo a identificação de milhões de tipos de malware diariamente.

Entre as estatísticas chave incluídas diariamente no Mapa ThreatCloud encontram-se:

  • Os 10 principais países de origem dos ciberataques
  • Os 10 principais países de destino dos ciberataques
  • Tipologias de ataque (Comunicação de bots, acesso a fontes maliciosas, transferência de ficheiros maliciosos, spam)
  • Total de ataques diários
  • Dados específicos de cada país, onde se mostram as médias de infecção e tipos de ciberataques mais comuns, por semanas e meses."



notícia completa na 







Seccubus

Seccubus automates vulnerability scanning with: Nessus, OpenVAS, NMap, SSLyze, Burp, Medusa, SkipFish, OWASP ZAP and SSLlabs

Anyone who has ever used a vulnerability scanner like Nessus or OpenVAS will be familiar with one of their biggest drawbacks. They a very valuable tools, but unfortunately they are also very noisy. The time needed to report on the findings of a scan is often two or three times the time needed to do the actual scan. Seccubus was created to more effectively analyze the results of regular vulnerability scans. It was designed with defenders in mind who have to scan the same infrastructure regularly.

web site

Onde não guardar passwords

esta é demais...


"In an interview about the satellite hack with French news program 13 Heures, TV5Monde reporter David Delos unwittingly revealed at least one password for the station's social media presence. That's because he was filmed in front of a staffer's desk—which was smothered in sticky notes and taped index cards that were covered in account usernames and passwords."

artigo na ArsTechnica

PJ está a contratar

do DN online:

Concurso aberto para mais 120 inspetores tem em mira áreas consideradas prioritárias pela Direção Nacional da PJ

A corrupção e o crime informático, duas das áreas mais modernas e sofisticadas da criminalidade, vão ser reforçadas daqui a dois anos, quando estiverem formados mais 120 inspetores.

O concurso para estas novas 120 vagas abriu no dia 20 de março e requer licenciaturas em 86 cursos diferentes, com claro destaque para as áreas de Administração e Gestão de Empresas e engenharias nas áreas dos computadores e telecomunicações. Sendo que por causa do previsto na lei orgânica da PJ, 40 vagas (33% do total) estão à partida reservadas para candidatos com licenciaturas em Direito.
A importância dada ao ciberterrorismo é tal que a PJ vai ter uma Unidade Nacional de Investigação do Crime Informático (UNCII), que contará com 100 inspetores no total, como revelou ao DN o diretor nacional da Judiciária, Almeida Rodrigues. Trata-se, afinal, de uma criminalidade que não tem parado de subir desde 2011, ano em que foi criado o Gabinete do Cibercrime na Procuradoria Geral da República.

certificados falsos da Google

Maintaining digital certificate security
Google Online Security Blog
Adam Langley


On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.

We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system. This situation is similar to a failure by ANSSI in 2013.

This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate.

This event also highlights, again, that the Certificate Transparency effort is critical for protecting the security of certificates in the future.

(Details of the certificate chain for software vendors can be found here.)

Evitar vulnerabilidades de projecto no software

Há muito trabalho em evitar vulnerabilidades de codificação. Este documento é sobre evitar vulnerabilidades de projecto:

AVOIDING THE TOP 10 SOFTWARE SECURITY DESIGN FLAWS (pdf)




CSI:cyber

Estreou há pouco tempo uma versão "cyber" das séries CSI. Giro, mas não resistiram às perseguições de carros, tiros,...
Site
Facebook


Ataques contra a bolsa

Hackers target hedge funds to manipulate trading algorithms
SC Magazine

The financial institutions are under attack from a new generation of cyber-criminals, ones that are looking to exploit weaknesses in the algorithms used to conduct automatic trades. Algorithms are widely used within financial institutions to generate mass trades – at one venture capital company, an algorithm has been appointed to the board of directors

EJ Hilbert, head of cyber-investigations at Kroll, said that algorithms were a tempting target for cyber-criminals. “Algorithms manipulate data and the bad guys understand that – manipulating data is what they know.”

He couldn't say how common a problem it was as he could only comment on cases where Kroll was brought into investigate. He did say that he knew of at least two recent cases: one where the company had in place procedures that identified a particular issue and one where the company just thought there was something not quite right. “In one case, the bad guy was someone internal; in the other, we couldn't identify where the gang was from.” He pointed out, however, that these were highly organised criminal gangs, ones who were able to sell information and launder the proceeds accordingly.

Hilbert, a former FBI cyber-crime investigator said the really interesting question is what the criminals would do with the compromised source code, whether it would be used to sell it back to the companies that it had been stolen from or whether the criminals would use it themselves. “We know, from monitoring the dark web, that there are discussions about how to use this information,” he said. 

Financial authorities have already identified a problem with hedge funds. In April last year, the USA's Security Exchange Commission said it would be looking into brokerage firms and investments advisors to ascertain how protected they were against cyber-attacks and what steps they were taking to protect customer data.

On this side of the pond, regulatory authorities are more circumspect. “We would ensure that companies have adequate systems and controls in place for the management of IT risks,” said a spokeswoman for the Finance Conduct Authority, but said that the authority didn't treat hedge fund companies any different from other financial institutions. Nor did the FCA look into any detail at the level of protection. “We're a financial regulator not a body that assesses IT risk,” the spokeswoman said.

Hilbert said the regulators would want to keep a close eye on trading systems and maybe introduce new procedures. “When there was a lot of credit card crime, systems were tightened and PCI DSS was introduced and there's no less of a problem,” he said.


Memory Analysis Suite for Mozilla InvestiGators

The Masche MWoS team presents their work on building a Memory Analysis Suite for Mozilla InvestiGators (MIG). MASCHE is a cross-platform Go library that provides low-level memory scanning on Linux, Windows and MacOS. It was developed by a team of 4 students from University of Buenos Aires, and part of the Mozilla Winter of Security initiative.
https://github.com/mozilla/masche 



artigo original

Quebrar protecções de segurança alterando bits de memória

GOOGLERS’ EPIC HACK EXPLOITS HOW MEMORY LEAKS ELECTRICITY
Wired

AS MOORE’S LAW has packed more and more transistors onto a single memory chip, scientists have fretted for years that electric charges that “leak” out from those tiny components might cause unpredictable errors in neighboring semiconductors. But now a team of Google researchers has demonstrated a more unexpected problem with that electromagnetic leakage: hackers can use it to purposefully corrupt portions of some laptops’ memory, and even to bypass the security protections of those computers.

In a post on its Google Project Zero security blog Monday, a group of the company’s researchers revealed new hacker exploits that take advantage of what’s known as the “Rowhammer” technique. Here’s how Rowhammer gets its name: In the Dynamic Random Access Memory (DRAM) used in some laptops, a hacker can run a program designed to repeatedly access a certain row of transistors in the computer’s memory, “hammering” it until the charge from that row leaks into the next row of memory. That electromagnetic leakage can cause what’s known as “bit flipping,” in which transistors in the neighboring row of memory have their state reversed, turning ones into zeros or vice versa. And for the first time, the Google researchers have shown that they can use that bit flipping to actually gain unintended levels of control over a victim computer. Their Rowhammer hack can allow a “privilege escalation,” expanding the attacker’s influence beyond a certain fenced-in portion of memory to more sensitive areas.

(...)

Apresentação da ferramenta WAP em Lisboa

Pode ser interessante, agora que a ferramenta ultrapassou os 2000 downloads :-)

March 18 @ 19:00 - 21:00

Speaker: Ibéria Medeiros

Session Title: Web Application Protection

Session Description:

Nesta sessão são abordados os seguintes temas:
- a importância da ferramenta WAP;
– o enquadramento em pen-testing;
– como se compara com outras ferramentas – vantagens e desvantagens;
– quais as suas principais funcionalidades, explicando as mesmas numa perspectiva de segurança de informação;
– demonstração da ferramenta, das vulnerabilidades detectadas, e possível exploração das mesmas.

Registration: http://security3v3ntz-webapplicationprotection.eventbrite.co.uk

Location: ISCTE, Edifício 1, Auditório 0NE01

Criptografia


EU Cybersecurity Maturity Dashboard 2015

EU Cybersecurity Maturity Dashboard 2015
"The promise of today’s interconnected world is immeasurable.Technology has become integral to virtually every sector of the global economy, including banking, communications and the electrical grid. The benefits that stem from that promise, however, face very real threats.

The purpose of this report — the first-of-its-kind BSA EU Cybersecurity Dashboard — is to provide government officials in each of the EU Member States with an opportunity to evaluate their country’s policies against these metrics, as well as their European neighbors."

consultar o quadro


Angler & Domain Shadowing

Cisco blog

Angler is currently the best exploit kit on the market
. The security industry has been waiting in anticipation to see which kit would replace “Blackhole”. While Angler may not have replaced Blackhole in terms of volume, the high level of sophistication and widespread usage leads us to declare Angler as the winner. It has shown the capability of integrating new exploits, including 0-days, quickly and effectively. With a new technique we’re calling Domain Shadowing, Angler has shown it is working hard to avoid standard detection.

Domain shadowing is the process of using users domain registration logins to create subdomains (i.e. says.imperialsocks.com). Angler Exploit Kit has begun utilizing these hijacked domain registrant accounts to serve malicious content. This is an increasingly effective attack vector since most individuals don’t monitor their domain registrant accounts regularly. These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains. Talos has found several hundred accounts that have been compromised that have control of thousands of unique domains. We have identified close to 10K unique subdomains being utilized. This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the subdomains, but also the IP addresses associated with the campaign. Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis. This is all done with the users already registered domains. No additional domain registration was found.

This recent campaign has been running since late December and coupled with the recent Flash 0-day has shown to be a new evolution in exploit kits. Utilizing 0-days and advanced evasion techniques were once reserved for targeted attacks and are now being packaged as the next evolution in the productized industrialization of hacking. This illustrates how products like Angler have raised the bar for the effectiveness of user driven exploit frameworks putting it in the same arena as the advanced threat market. Previously, the information security industry has been trying to focus on detecting the threats like common, user targeted attacks while taking an “its not if, but when” approach to the advanced threats. Angler is now in the category of “not if, but when your organization will be impacted.”

Equation Group

O estranho caso do Equation Group:

In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn't know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail. (...)

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.




Hackers roubam centenas de milhões a bancos

Bank Hackers Steal Millions via Malware
New York Times / Kaspersky

Since late 2013, an unknown group of hackers has reportedly stolen $300 million ­— possibly as much as triple that amount — from banks across the world, with the majority of the victims in Russia.


notícia completa

CryptoCurrency Security Standard (CCSS)




Introducing the CryptoCurrency Security Standard (CCSS)

The C4 mission statement is to develop and maintain standards that will benefit the cryptocurrency ecosystem. We accomplish this mission with the collaboration of the brightest minds in our space and have met success with each of our prior projects. Today, after months of working with extremely knowledgeable partners on this critical project, BitGo and C4 are proud to jointly announce the release of the draft CryptoCurrency Security Standard (CCSS) for public discussion.

(...)

The full whitepaper can be downloaded here: https://cryptoconsortium.org/ccss/CCSS.zip

The latest draft of the CryptoCurrency Security Standard is published online via GitHub at http://cryptoconsortium.github.io/CCSS/

artigo completo

Kali Linux 1.1.0

Saiu a versão 1.1.0 do Kali Linux!

"After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago. As we look at a now mature Kali, we see a versatile, flexible Linux distribution, rich with useful security and penetration testing related features, running on all sorts of weird and wonderful ARM hardware."

De hackers a empresários

Um artigo muito interessante sobre como na Europa de Leste surgiram inúmeros hackers que posteriormente se tornaram especialistas de segurança:

How Eastern Europe's villains changed sides in the malware war - and made you protect your PC



blogs de segurança

41 Amazing Internet Security Blogs You Should Be Reading


Blackhat - o filme

Uma análise interessante sobre o filme Blackhat do ponto de vista dos profissionais da segurança:

Blackhat movie: the good the bad and the ugly - CSO Online

Em resumo:

  • Good: The IoT attack was real
  • Bad: ... but the IoT attacks made no sense
  • Ugly: ... the criminal hacker is the one genius who can fix things



BadIRET

Um artigo muito interessante sobre explorar a vulnerabilidade BadIRET:

Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)
Br Labs

Inclui esta banda desenhada esquisita:

Olhar para o nível errado

Um artigo engraçado -- "If the NSA has been hacking everything, how has nobody seen them coming?" -- no qual é particularmente interessante o ponto 3: "You were looking at the wrong level":

"A common criticism of the top tier security conferences is that they focus on attacks that are overly complex, while networks are still being compromised by un-patched servers and shared passwords. What the ANT catalogue and some of the leaks revealed, is that sensitive networks have more than enough reason to fear complex attacks too. One of the most interesting documents in this regard appears to be taken from an internal Wiki, cataloguing ongoing projects (with calls for intern development assistance). (...)"

Cisco Annual Security Report 2015

Bem interessante, como se vê nas "key discoveries":

Attackers have become more proficient at taking advantage of gaps in security to hide and conceal malicious activity.
► In 2014, 1 percent of high-urgency common vulnerabilities and exposure (CVE) alerts were actively exploited.
This means organizations must prioritize and patch that
1 percent of all vulnerabilities quickly. But even with leading security technology, excellence in process is required to address vulnerabilities.
► Since the Blackhole exploit kit was sidelined in 2013, no other exploit kit has been able to achieve similar heights of success. However, the top spot may not be as coveted by exploit kit authors as it once was.
► Java exploits have decreased by 34 percent, as Java security improves and adversaries move to embrace new attack vectors.
► Flash malware can now interact with JavaScript to help conceal malicious activity, making it much harder to detect and analyze.
► Spam volume increased 250 percent from January 2014 to November 2014.
► Snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid detection, is an emerging threat.

Users and IT teams have become unwitting parts of the security problem.
► Online criminals rely on users to install malware or help exploit security gaps.
► Heartbleed, the dangerous security flaw, critically exposes OpenSSL. Yet 56 percent of all OpenSSL versions are older than 50 months and are therefore still vulnerable.
► Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure. In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.
► Malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign.

The Cisco Security Capabilities Benchmark Study reveals disconnects in perceptions of security readiness.
► Fifty-nine percent of chief information security officers (CISOs) view their security processes as optimized, compared to 46 percent of security operations (SecOps) managers.
► About 75 percent of CISOs see their security tools as very or extremely effective, with about one-quarter perceiving security tools as only somewhat effective.
► Ninety-one percent of respondents from companies with sophisticated security strongly agree that company executives consider security a high priority.
► Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches.
► Larger, midsize organizations are more likely to have highly sophisticated security postures, compared to organizations of other sizes included in the study.

Download the report
 
2015 Cisco ASRCisco 2015 Annual Security Report
Download Now

Endereçamento no Windows 8

Muito interessante:

How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes

Windows 8.1 radically changes the address space layout of the system by finally removing the 44-bit limitation which I described in one of the earliest blog posts on this website (and which Wikipedia even links to!). This is a little-known detail about the operating system, and an odd thing for Microsoft not to emphasize on with more aplomb, especially given that 8.1 is considered a “patch” of Windows 8.

Now, you may think that 16 TB to 256 TB is a meaningless change since no applications currently use even a fraction of that space, but the main benefit of this change are not the ability to allocate additional memory, but rather the increased entropy space available for Address Space Load Randomization (ASLR), especially given that Windows 8 introduced High Entropy ASLR (HEASLR), Top-down Randomization and Anonymous Memory Randomization.

(...)

Top ferramentas de segurança 2014

2014 Top Security Tools as Voted by ToolsWatch.org Readers

01 – Unhide (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – Lynis (+3↑)
04 – BeEF – The Browser Exploitation Framework (-2↓)
05 – OWASP Xenotix XSS Exploit Framework (0→)
06 – PeStudio (-2↓)
07 – OWASP Offensive (Web) Testing Framework (NEW)
08 – Brakeman (NEW)
09 – WPScan (0→)
10 – Nmap (NEW)

artigo completo com descrição das ferramentas

Exploit Pack

Interessante esta alternativa ao Metasploit etc.:

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Iimpact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc. Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.


Como os browsers armazenam as passwords



How Browsers Store Your Passwords (and Why You Shouldn't Let Them)

Uma análise interessante sobre como os browsers armazenam as passwords dos utilizadores. Em resumo, a resposta à pergunta de se é ou não fácil descobrir as passwords armazenadas é:
  • Chrome: Easy
  • Internet Explorer: Easy/Medium/Hard (Depends on version)
  • Firefox: Medium/Very Hard

Intel Software Guard Extensions (SGX)

Intel® Software Guard Extensions (SGX): A Researcher’s Primer

There is a new set of features coming to Intel CPUs that have massive potential for cloud security and other applications such as DRM. However, as with all things that can be used for good there is also the potential for misuse. These features come in the guise of Software Guard Extensions (SGX). (...)

Intel® Software Guard Extensions (Intel® SGX) is a name for Intel Architecture extensions designed to increase the security of software through an “inverse sandbox” mechanism. In this approach, rather than attempting to identify and isolate all the malware on the platform, legitimate software can be sealed inside an enclave and protected from attack by the malware, irrespective of the privilege level of the latter.

So in short this means we can create a secure enclave (or a Trusted Execution Environment – TEE – if you wish) at the CPU level which is protected from the OS upon which it is running.

Architecturally Intel SGX is a little different from ARM TrustZone (TZ). With TZ we often think of a CPU which is in two halves i.e. the insecure world and the secure world. Communication with the secure world occurs from the insecure world via the SMC (Secure Monitor Call) instruction. In Intel SGX model we have one CPU which can have many secure enclaves (islands): (...)

artigo completo

Sigreturn Oriented Programming

Artigo didático: Playing with signals : An overview on Sigreturn Oriented Programming

Artigo científico: Framing Signals—A Return to Portable Shellcode

"Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a ‘weird machine’ that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process’ stack."

As 10 melhores notícias sobre ciber-crime 2014

Top 10 cyber crime stories of 2014
ComputerWeekly

as 10 histórias:

1. Business needs to take cyber crime seriously, says top EU cyber cop Troels Oerting
2. Service model driving cyber crime, says Europol report
3. UK-led cyber crime taskforce proving its worth, says top EU cyber cop
4. UK operation nets 17 suspected Blackshades cyber attackers
5. Dark markets downed in international anti-cyber crime operation
6. UK police make four arrests in international cyber crime crackdown
7. More than a hundred cyber criminals arrested in global operation
8. UK National Cyber Crime Unit open to business
9. UK police face steep learning curve on cyber crime
10. Cyber criminals set to become information dealers, says Websense