Olhar para o nível errado

Um artigo engraçado -- "If the NSA has been hacking everything, how has nobody seen them coming?" -- no qual é particularmente interessante o ponto 3: "You were looking at the wrong level":

"A common criticism of the top tier security conferences is that they focus on attacks that are overly complex, while networks are still being compromised by un-patched servers and shared passwords. What the ANT catalogue and some of the leaks revealed, is that sensitive networks have more than enough reason to fear complex attacks too. One of the most interesting documents in this regard appears to be taken from an internal Wiki, cataloguing ongoing projects (with calls for intern development assistance). (...)"

Cisco Annual Security Report 2015

Bem interessante, como se vê nas "key discoveries":

Attackers have become more proficient at taking advantage of gaps in security to hide and conceal malicious activity.
► In 2014, 1 percent of high-urgency common vulnerabilities and exposure (CVE) alerts were actively exploited.
This means organizations must prioritize and patch that
1 percent of all vulnerabilities quickly. But even with leading security technology, excellence in process is required to address vulnerabilities.
► Since the Blackhole exploit kit was sidelined in 2013, no other exploit kit has been able to achieve similar heights of success. However, the top spot may not be as coveted by exploit kit authors as it once was.
► Java exploits have decreased by 34 percent, as Java security improves and adversaries move to embrace new attack vectors.
► Flash malware can now interact with JavaScript to help conceal malicious activity, making it much harder to detect and analyze.
► Spam volume increased 250 percent from January 2014 to November 2014.
► Snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid detection, is an emerging threat.

Users and IT teams have become unwitting parts of the security problem.
► Online criminals rely on users to install malware or help exploit security gaps.
► Heartbleed, the dangerous security flaw, critically exposes OpenSSL. Yet 56 percent of all OpenSSL versions are older than 50 months and are therefore still vulnerable.
► Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure. In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.
► Malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign.

The Cisco Security Capabilities Benchmark Study reveals disconnects in perceptions of security readiness.
► Fifty-nine percent of chief information security officers (CISOs) view their security processes as optimized, compared to 46 percent of security operations (SecOps) managers.
► About 75 percent of CISOs see their security tools as very or extremely effective, with about one-quarter perceiving security tools as only somewhat effective.
► Ninety-one percent of respondents from companies with sophisticated security strongly agree that company executives consider security a high priority.
► Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches.
► Larger, midsize organizations are more likely to have highly sophisticated security postures, compared to organizations of other sizes included in the study.

Download the report
2015 Cisco ASRCisco 2015 Annual Security Report
Download Now

Endereçamento no Windows 8

Muito interessante:

How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes

Windows 8.1 radically changes the address space layout of the system by finally removing the 44-bit limitation which I described in one of the earliest blog posts on this website (and which Wikipedia even links to!). This is a little-known detail about the operating system, and an odd thing for Microsoft not to emphasize on with more aplomb, especially given that 8.1 is considered a “patch” of Windows 8.

Now, you may think that 16 TB to 256 TB is a meaningless change since no applications currently use even a fraction of that space, but the main benefit of this change are not the ability to allocate additional memory, but rather the increased entropy space available for Address Space Load Randomization (ASLR), especially given that Windows 8 introduced High Entropy ASLR (HEASLR), Top-down Randomization and Anonymous Memory Randomization.


Top ferramentas de segurança 2014

2014 Top Security Tools as Voted by ToolsWatch.org Readers

01 – Unhide (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – Lynis (+3↑)
04 – BeEF – The Browser Exploitation Framework (-2↓)
05 – OWASP Xenotix XSS Exploit Framework (0→)
06 – PeStudio (-2↓)
07 – OWASP Offensive (Web) Testing Framework (NEW)
08 – Brakeman (NEW)
09 – WPScan (0→)
10 – Nmap (NEW)

artigo completo com descrição das ferramentas

Exploit Pack

Interessante esta alternativa ao Metasploit etc.:

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Iimpact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc. Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

Como os browsers armazenam as passwords

How Browsers Store Your Passwords (and Why You Shouldn't Let Them)

Uma análise interessante sobre como os browsers armazenam as passwords dos utilizadores. Em resumo, a resposta à pergunta de se é ou não fácil descobrir as passwords armazenadas é:
  • Chrome: Easy
  • Internet Explorer: Easy/Medium/Hard (Depends on version)
  • Firefox: Medium/Very Hard

Intel Software Guard Extensions (SGX)

Intel® Software Guard Extensions (SGX): A Researcher’s Primer

There is a new set of features coming to Intel CPUs that have massive potential for cloud security and other applications such as DRM. However, as with all things that can be used for good there is also the potential for misuse. These features come in the guise of Software Guard Extensions (SGX). (...)

Intel® Software Guard Extensions (Intel® SGX) is a name for Intel Architecture extensions designed to increase the security of software through an “inverse sandbox” mechanism. In this approach, rather than attempting to identify and isolate all the malware on the platform, legitimate software can be sealed inside an enclave and protected from attack by the malware, irrespective of the privilege level of the latter.

So in short this means we can create a secure enclave (or a Trusted Execution Environment – TEE – if you wish) at the CPU level which is protected from the OS upon which it is running.

Architecturally Intel SGX is a little different from ARM TrustZone (TZ). With TZ we often think of a CPU which is in two halves i.e. the insecure world and the secure world. Communication with the secure world occurs from the insecure world via the SMC (Secure Monitor Call) instruction. In Intel SGX model we have one CPU which can have many secure enclaves (islands): (...)

artigo completo

Sigreturn Oriented Programming

Artigo didático: Playing with signals : An overview on Sigreturn Oriented Programming

Artigo científico: Framing Signals—A Return to Portable Shellcode

"Like return-oriented programming (ROP), sigreturn oriented programming constructs what is known as a ‘weird machine’ that can be programmed by attackers to change the behavior of a process. To program the machine, attackers set up fake signal frames and initiate returns from signals that the kernel never really delivered. This is possible, because UNIX stores signal frames on the process’ stack."

As 10 melhores notícias sobre ciber-crime 2014

Top 10 cyber crime stories of 2014

as 10 histórias:

1. Business needs to take cyber crime seriously, says top EU cyber cop Troels Oerting
2. Service model driving cyber crime, says Europol report
3. UK-led cyber crime taskforce proving its worth, says top EU cyber cop
4. UK operation nets 17 suspected Blackshades cyber attackers
5. Dark markets downed in international anti-cyber crime operation
6. UK police make four arrests in international cyber crime crackdown
7. More than a hundred cyber criminals arrested in global operation
8. UK National Cyber Crime Unit open to business
9. UK police face steep learning curve on cyber crime
10. Cyber criminals set to become information dealers, says Websense