Wednesday, December 31, 2014

Five infographics for more secure 2015

Whether it is the famous ball located on the roof of One Times Square in New York, the popular twelve grapes of luck in Madrid (Spain), the Italian lentils or the magic combination of sea and fireworks in Brazil, each culture has its own ritual to say goodbye to the year. At the CIGTR we are going to do it with infographics. There is no better way to close 2014 than making you think about security, before so much party and the bank holiday. Today more “a picture is worth a thousand words" more than ever.

They are not twelve grapes, but seven myths what you will find on the first infographics produced by Symantec. Seven myths about cybersecurity that are refuted by this security firm. If you want to keep yourself secured in 2015 buy a professional antivirus software. Free versions do not work. You may think you are so clever, but noticing if your device is infected is a task reserved for very few. These two are just two of the seven myths. To find out the rest, please look for the the link below this article.

Tuesday, December 30, 2014

Surveillance, cyber crime and censorship sign off 2014

"They cannot kill me, my country will react, it will send a letter." James Bond defended himself this way in Casino Royale, in relation to the alleged response that his government would take following his death. But Bond was a spy, and therefore he knew that if he had problems, he will be alone.

Spy movies were very popular in the 80’s and 90’s. Now they are back in fashion, although they are not just movies. The German chancellor has found out that it was being spied more than onceit has been spied. This time they did almost by chance thank to a smart antivirus software that detected a USB memory infected by Regin, which is a spyware linked with British intelligence and the US national security agency (at least in the beginning).

Monday, December 29, 2014

Identity theft techniques become more sophisticated

Hijacking or personal data theft is a clear trend that we will have to face more and more often. The techniques remain the same, but due to the digital crime industrialization and the fierce technological evolution, they are becoming more sophisticated.

Let’s imagine a scenario in which most services use fingerprint reading as identification method. In this environment, let’s imagine that a group like the Chaos Computer Club is able to obtain anyone’s fingerprints from some pictures of their hands from different angles. Actually this scenario is not a utopia, but reality. In one of his last lectures, these Germans showed how they obtained the ones of their defense minister, Ursula von der Leyen, thanks to some photos gathered from public sources.

Sunday, December 28, 2014

Top 10 Infosec links of the year

Definitely, four words have shocked our readers on this year: "Pictures of naked celebrities". Neither Heartbleed, nor Chameleon, nor end of Windows XP support, 2014 most read stories in this, yours humble, information service are referred to "Celebgate", the hack against Apple iCloud service, and subsequent theft and leak of famous' pictures. Even somebody tried to make and exhibition with some of them.
We didn't see, however, nude photos of male celebrities, demonstrating that black hats are men and heterosexual, and/or famous men don't take nude pictures of themselves. Anyway, 2014 has been the year when many users have become aware of their privacy, seeing how easy is to get data that reveals their lives and routines, as in the social network for athletes, Endomondo, which by default discloses its members routes. 

Saturday, December 27, 2014

Black clouds of insecurity over Internet

If we lived in "The Lord of the Rings" we would say that Sauron and his dark shadow cover practically entire Internet. Wherever we look at, the Black Riders roam freely, allowing themselves to threat the holiest things on the net, and the net itself. In front of so many orcs, created by mafias but also by black magicians working for governments, Community of the Net's fight seems a drop in an ocean of lava. If you allow us the pessimism, computer in-security is actually rampant and exceeds all predictions of science fiction and cyberpunk literature.
Just look at Lizard Squad group: after spending Christmas bombing Xbox Live and PS Network, now threaten to break down Tor network, created to ensure anonymity and unrelated with video games world. Tor's a goal too far away from old ways of Lizard Squad, whom seems that success has gone to its head. Another dodgy, Kim Dotcom, the Mega's millionaire owner, has also gotten into this bizarre story.

Friday, December 26, 2014

Security, privacy and cyber war: what it will come

2014 ends showing us two trends for next year. On the one hand, the increasing use of denial of service attacks. On the other, the assaults on citizen’s privacy in alleged attempts of fighting terrorism. We bring you four articles about some recent events, two for each subject.

The answer to the alleged attack to Sony Pictures by North Korea finally arrived. A massive DDoS attack shut down the whole North Korean Internet network for about 10 hours. The US is thought to be the attacker. It is still being gathering information, but it seems clear that there were innocent victims, as Spanish hosting provider Dinahosting whose DNS were targeted by such campaign for hosting a site related to the country's government on its servers.

Wednesday, December 24, 2014

Times change

A change process is the transformation suffered by a previous state into a new state. Until 1990, science understood change as an exception between two stages of stability. With the social and technological developments in the past two decades, change became a constant, something permanent in our lives, something we must adapt to and learn to cope with.

In fact, one the most traditional companies in terms of change management, which is Apple, has been forced to launch an automatic update for the first time in its desktop OS X history. This security update patches a serious flaw on the NTP protocol that could allow an attacker to remotely control any vulnerable device. Moreover it became mandatory for the first time, asking the system to auto-run it as soon as it connects to the Internet.

Tuesday, December 23, 2014

Technology is neither good nor bad; nor is it neutral

Melvin Kranzberg was a renowned history professor who lived his student years in the Second World War. Knowing the influence of technology over society and witnessing that all innovations were negatively perceived by people who saw how they were used to create more and more destructive weapons, he defended technology saying "Technology is neither good nor bad, nor neutral."

"It is how you use it what declines the balance towards either side," others add as tagline. There are plenty of examples of good and bad uses of technology in history.

Monday, December 22, 2014

Clocks putting national security at risk

Egyptians measured time with hourglass, a device that controlled water flow to time actions. Even before human beings had used sundials or sand clocks. The first clocks of weights and wheels appeared at the time of the Byzantine Empire. They evolved in the Middle Ages until they got more sophisticated and reduced their size leading to the hand watch invention around the seventeenth century. Then they came the mechanical ones, later the analog and digital ones, and finally the atomic one.

All the technological network of our society is depends on tools for measuring time, ranging from the flow of actions itself to the connection and communication of data packets and the input and output of information displayed on a screen. To control all this, they were developed time management protocols such as the NTP one, used to synchronize the clocks of different connected systems preventing leaks and packet loss. But Neel Mehta and Stephen Roettger, from Google’s security team, have demonstrated that NTP is remotely vulnerable and allows to gain control of a system with user permissions. This vulnerability affects almost all systems, but it becomes critical regarding ICS and SCADA architectures, which are used for power stations, traffic lights or water purification systems.

Sunday, December 21, 2014

Top 5 Infosec links of the week (LVII)

Usually on these dates, media ask brainy experts to, after much deliberation, decide what issues will be key next year. Here at CIGTR we are lucky because our readers are experts or, at least, very curious. So, we just need to take a glance at what has most interested them on this week to find out which will be the 2015 security trending topics.

On one hand and as undisputed threat rises malware that encrypts information contained on computers and demands a ransom for deciphering it. CryptoLocker is best known but there are others, like TorrentLocker, that AV company ESET has meticulously analyzed.

Saturday, December 20, 2014

Lights, camera... Hacktion!!

"The Empire threatens 'Alderaan-Like massacre if new Star Wars movie is released". If you are a huge fan of George Lucas' saga you will know the meaning of this ironic tweet from polemic @KimDotCom (Megaupload, Mega). If not, go searching on Google the term Alderaan and quite soon you will understand.

Whether you like or not Kim's style, #SonyHack earthquake has shaken every single rock on entertainment industry. During last hours everything is going 'fast and furious', going from astonishment to menaces: FBI says that North Korea is behind attack, president Barack Obama announces there will be retaliation and even asks China for help, and more and more isolated Kim (another Kim) Jong Un's Korea replies that they don't know what this 'movie' is about.

Friday, December 19, 2014

A quick approach to cybersecurity in 2015

The picture you can see attached to this article is commonly used in Internet memes about ironic situations: a college of architecture and planning so badly designed that there is not space for the first letter of the sign? Well, last year ended in a similar way in terms of cybersecurity: a well known retail chain called Target (target) became target of cybercriminals in one of the most famous operations carried out so far.

But Target’s story is still making headlines. The researcher Stephen Cobb has analyzed the 12 months following such assault and extracted some lessons for the future: you must pay attention to internal accounts and networks; you must add good technology, good people and good leadership; you must assume that politicians are not doing enough, and companies themselves either; and it should be clear that smart chips alone are not going to end cybercrime.

Thursday, December 18, 2014

The Great Dictator, the Great Hacker

"Our knowledge has made us cynical. Our cleverness, hard and unkind. We think too much and feel too little. More than machinery we need humanity. More than cleverness we need kindness and gentleness. Without these qualities, life will be violent and all will be lost..." 'The Great Dictator'. Charles Chaplin. 1940. This is one of the most vibrant, emotional and immortal speeches in the history of cinema .

Would we have been able to watch this movie if criminals paid by Germany had put on its knees the entire film industry in the World War? In fact, it seems that something similar happened with Sony Pictures, after getting hacked by cyber crooks. The group is apparently funded by North Korea and managed that the company cancelled the release of ‘The Interview’, a political comedy that makes fun of Kim Jong-Un. Just like the immortal Chaplin did with his story about the human aberration that Adolf Hitler meant.

Wednesday, December 17, 2014

Cyber weapon creators and the Hephaestus' forge

It is said about Hephaestus, son of Era and Zeus in Greek mythology, that he was born deformed and was thrown into the sea where two mermaids saved him and hid him in a cave. In such cave he will eventually learn the secrets of the forge. This is why he is called god of fire and the forge. He create weapons and utensils considered relics of the gods, such as the chariot of Helios, the helmet of invisibility of Hares or the arrows of Eros.

Hephaestus is also the god of blacksmiths, craftsmen, sculptors, and he could also be the god of malware developers. With its anvil he worked with metal as cybercriminals work with bits, shaping powerful cyber weapons.

Tuesday, December 16, 2014

You could pay a high price for these blunders and mistakes

"Blunders." Whether they are intentional or not, it is common to find these small mistakes on everything we do. They are sometimes funny and not very serious, as some bloopers in a film production. For instance, that plane that flies behind Achilles in Troy, or the glove that showed up and disappeared on Han Solo’s hand in Star Wars. But small blunders can sometimes be crucial for the success or failure of a malware campaign. Friends of the CIGTR, are you ready? Let's start.

A Chinese security company called 360 warned this week of a new threat to Android devices. The creature has been dubbed Fakedebuggerd. It is a malware that uses rootkit techniques to ensure the persistence on the system. Thus it drives users crazy with alleged flashlight or calendar apps which appear and disappear from the list of installed apps. It also hides an APT that steals private information: network names, calls, SIM card information, firmware...

Monday, December 15, 2014

Not very optimistic digital Christmas: security breaches and attacks on privacy

"We are preparing for you a Christmas gift," Guardians of Peace said in a post to both Pastebin and Friendpaste. "The gift will be larger quantities of data. And it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state.”

This cybercriminal group behind the attack on Sony Pictures’s infrastructure is threatening to disclose more confidential information if its demands are not met. This kind of attacks are saddly making headlines today too. Around 1600 (physical and virtual) Linux servers and 811 Windows servers have been violated. About 3000 personal computers of employees in American territory, and 7700 world wide have been compromised. More than one terabyte of private (and sometimes critical) information has been disclosed on file and torrent sharing websites. Even the internal certificate of your company could be already being used to spread self-signed malware.

Sunday, December 14, 2014

Top 5 Infosec links of the week (LVI)

What's Lizard Squad? Possibly this name will sound familiar just to a few readers, but things would change if we clarify that it's the group responsible for recent cyber attacks that have stretched PlayStation and XBox Live online sites. Both actions have been, by far, the most read stories this week.

No wonder, considering that online gaming is one of the main interests on the Internet and any interruption is widely commented. Bad hackers know it, as Lizard Squad, one of the most active computer crime gangs, devoted in body and soul to attack the video game business. And so they are doing: PlayStation website was inaccessible during all Monday. And Microsoft's XBox Live suffered a heavy Distributed Denial of Service bombardment that left the service KO last weekend. To make matters worse, Lizard Squad has announced that will knock Sony again this Christmas.

Saturday, December 13, 2014

Don't let Internet sour your holidays

Christmas holidays are the perfect time, with all this cold and lot of leisure, to spend more hours than normal on the Internet or do more shopping online. Criminals know this and have everything prepared for Christmas season, including fraud, theft, extortion, intrusion on companies, etc. We do not intend to scare you nor embitter your vacations, but we think that to put a point of attention and awareness in our cyberlife would not hurt us in these days.

Warn about Christmas risks the results of a survey conducted by BalaBit on privileged users, as managers and executives: 70% of them will connect from home to their corporate network on these holidays, to check email, half of them several times a day. And the vast majority will use for these connections either their own, a friend's or a public device, as public wifi networks, extremely dangerous because criminals may be listening. To make matters worse, 38% of respondents have not been asked for extra levels of authentication when connecting to the company network from a device that has not been registered.

Friday, December 12, 2014

The Internet of Things: a clear target in 2015

The connected world, this technological transformation that breaks geological and temporary barriers, and quantifies the real world, providing us of measurable variables. It is an ecosystem of wearable devices, mobile devices and home automation devices. The era of the Internet of Things is coming. But like any other paradigm shift, it brings associated risks.

The Internet of Things is made up of billions of devices running over different protocols in a fervent struggle to get the leadership of the sector. The implementation of several protocols with different vulnerabilities without a standardized control could affect even your life when an attacker takes advantage of such vulnerabilities to compromise medical technology.

Thursday, December 11, 2014

Everyone has a hacker inside them

1961 is one of the most important dates in the technological world. In that year, the Signals and Energy committee at the Tech Model Railroad Club got one of the first PDP-1 computers. This group would become later the core of the Artificial Intelligence Laboratory at MIT, the top IA center in the world in the early 80’s. And it will eventually introduce the term ‘hacker’ in the collective consciousness.

Hacker is one of the most controversial words in recent years. Hacker has been commonly used as a synonymous for digital intruder. For example, for the guys behind vulnerabilities as the POODLE’s one. Actually this platform has swap from SSL to some versions of TSL protocol. But you won’t be free bug even if you disable SSL backward. The TLS 1.2 version seems to be vulnerable too.

Wednesday, December 10, 2014

Past, present and future of IT security

In ‘Back to the Future’ movie (1986), Robert Zemeckis (screenwriter) pictured how he imagined the world in 2000. It was a world with flying vehicles and wearable technology, where people were still going to coffee shops to enjoy pancakes with ice cream and chocolate syrup while reading... a digital newspaper.

2014 is about to end and the Marty McFly’s seems to be so far away in time. However we are close to live in a permanently connected world with all the technology needed to feed our voracious appetite for information. McAfee Labs describes the main trends in cybersecurity for next year on its latest threat reportAnd yes, the internet of things as well as wearables and mobile devices appears as primary sources of risk.

Tuesday, December 9, 2014

Several tips on freedom and privacy on the Internet

Don Quixote said to his unshakable squire: "Freedom, Sancho, is one of the most precious gifts that heaven has bestowed upon men; no treasures that the earth holds buried or the sea conceals can compare with it; for freedom, as for honour, life may and should be ventured." The 'nobleman’ took this ode as a principle while he was making his way through the yellow fields of Castile as in a heroic epopee.

Freedom remains as important for the future of society today as it was then. But freedom is encapsulated under self-control principles that allow collective life. And freedom is continuously suspected of being put under government control, including censorship, as GigaOM recently demonstrated on a study (PDF version) that analyzes its progress in 65 countries in 2014. Russia, Turkey and Ukraine are the ones where censure level is the highest; Iran, China and Syria are the ones most limited in terms of personal expression.

Monday, December 8, 2014

Millions of users on the crosshairs of crime industry

The video game world holds 9% of the entire cybercrime industry. This 9% representing hundreds of millions of annual losses for video game companies, and millions of profits for evil minds. In fact it is one of the four most attacked targets on the cyber environment, and perfect breeding ground for all techniques of extortion, denial of service attacks and theft of data by black hat "hackers”.

Lizard Squad is one of the most active groups in the black market. It has marked this bank holiday in Spain to carry out its misdeeds: two major attacks on two of the three major gaming ecosystem.

Sunday, December 7, 2014

Top 5 Infosec links of the week (LV)

It's a love-hate relationship we have with technological devices. First, they're our object of desire and we spend huge amounts of money on them. But, on the other hand, as they become more complex increases our ignorance about how they work and how to use them safely. So, we fear them. That's why most of our top read stories this week (and most weeks) are related to dangers lurking in our digital life.

Our top news this week relates to several Chinese mobile phones, cloning well known brands, sold with factory installed Trojans, namely a malicious code on your phone's firmware which allows installing software without owner's knowledge, data monitoring and even identity theft.

Saturday, December 6, 2014

The hack of the year

In the good old days it was said that the network grew so as exponential that a year in the Real World were seven years on the Internet. This rate of growth has been slowing, except in some areas where research continues and new software, new theories and new experts constantly appear. As in social media marketing and, to a greater extent, computer security, a world moving relentless, plunged into an arms race unstoppable today.

Undoubtedly, the hack of the year and next is the attack against Sony corporation by a group calling themselves #GOP (Guardians Of Peace), with pad included in its name, born to be trending topic. To the mystery about attackers' origin and motivation (it was said it was an attack by the North Korean government but today many experts doubt about it) we must add their disproportionated actions: they've disseminated on the Internet films not yet released, documents that reveal the salary of senior executives and, today, we know they are sending emails to Sony employees, threatening to attack them if they do not sign a letter against the company.

Friday, December 5, 2014

Don’t let your lack of digital knowledge make you weaker

Cleobulus, known as one of the Seven Sages of Greece, launched a personal crusade against ignorance. A quote attributed to him says “Ignorance and talkativeness bear the chief sway among men”.

Such ignorance is used to weave the dark and harmful side of technology. As an example, several Chinese popular cellphone clones are sold within a malicious software on their firmware. This software allows to install external packages, monitoring data consumption and even steal the identity of the user. If you have chosen a clone device, watch out! Don’t let ignorance make you weak.

Thursday, December 4, 2014

Your salvation on the Internet depends on two human variables

“I am I and my circumstance; and, if I do not save it, I do not save myself.” You may already have heard these words more than once and certainly this will not be the last. This way Ortega y Gasset explained one of his philosophical pillars, vital reason. Every person (user) is influenced by two factors: what he thinks and what he lives. We can not understand human nature isolating reason (absolute concepts) from vitality (subjective experiences).

In this sense, Internet understood as a technological network created as a reflect of our communication ability can not get away from this fact.

Wednesday, December 3, 2014

It was accidentally on purpose, as digital hook

Last week passed Roberto Gómez Bolaños, better known as "Chespirito" or "Chavo del Ocho". One of these humorous artists with whom we grew up, he coined the famous phrase "It was accidentally on purpose".

Cyber attackers have hurried to exploit the tragic news for malicious purposes. A sponsored tweet (for now in English, although we expect its spread in Spanish and Portuguese), invites the user to access a page with supposed new information about the success is exploited to send victims to an infected domain, or to download an adware app. Let's be very careful with shortened links.

Tuesday, December 2, 2014

The Hitchhiker's Digital Guide

Imagine a morning like today, someone bites your door and gently notifies you that your house will be demolished. A similar situation (in fact, literally similar), just changing 'home' for 'planet', was what Arthur Dent had to live in "The Hitchhiker's Guide to the Galaxy", the first novel of the saga with the same name, written by Douglas Adams and whose format resembles more the classic step by step tutorial about what we should not to do in accordance with what’s happening.

If Adams was able to write five novels under the same prism, shall we not be able to lecture us accordingly with the day's news in computer security? Digital Hitchhiker, let's do it.

Monday, December 1, 2014

Enjoying the International Computer Security Day in the best way

The "International Day of Information Security" is celebrated on November 30th since 1998. This date is good for every one who work involved in computer security to raise awareness about the important role that information security plays nowadays. Last November 30th was Sunday, so let’s start this week dipping into some of 'hot' headlines of the weekend, all of them, of course, related to privacy, security and exploitation of bugs.

You can spend the International Computer Security Day in many different ways. For some people, information security and the right to privacy is above global interests. For others, the end justifies the means. This is why the abuse on personal information is reasonably accepted at some specific areas. For intance, when a judge requests the intervention of the digital accounts of a suspect. But what about when this is done in bulk, whether the citizen who is being spied on is suspect or not ?

Sunday, November 30, 2014

Top 5 Infosec links of the week (LIV)

Would you leave your life in the hands of a computer? The answer at first sight is a big No! But if we approach a magnifying glass, we'd see a concept that's becoming harder, called Internet of things, and if we focus further, we'll see that, among these things, there are cars, computers on wheels today. The dangers of driverless car have been what most interested our readers this week.

They call them autonomous cars and manufacturers promise next year there will be driverless cars in Britain, something that has astonished the Institute of Engineering and Technology at that country, who warns that 98% of applications that run on these vehicles have serious defects that could lead even an attacker to take remote control.

Saturday, November 29, 2014

Smart hacker vs fool hacker

In hacker community's jargon there are many adjectives that apply to who knows much: elite, guru, samurai ... At the other extreme is the lamer, somebody who neither hears nor wants to know, who prefers to copy the work of others than get to learn. At first it may be difficult to distinguish between them, especially when the swashbuckling lamer often appears to be elite and beyond. Just give it time and, like so many things in this life, for their actions you’ll know them.

They’re black hat hackers, yes, but elite after all, the authors of the latest known attack against a large Fortune 500 corporation: to steal company data, they hid it in videos uploaded to a cloud service. This was achieved using a technique called steganography, which allows to inject information into an image or film undetectable to the eye, and since what has been seen, to intrusion detection systems too.

Friday, November 28, 2014

APTs spearheading new cyberwar

"If we were able to develop samples that were not detected by these tools without actually having access to any of the tested products during the development phase, then resourceful attackers who may be able to buy these products will also be able to develop similar samples, or even better ones."

This is the conclusion reached by one of the researchers behind BAB0, which is a malware created to test attack detection systems across security industry. BAB0 is just an APT taking advantage of techniques such as steganography (hiding code on images) to infect the victim, and may thereafter monitor traffic and break operating system sandboxes.

Thursday, November 27, 2014

Fiction inspired by digital reality

What does it inspire a person to create a novel, a movie or a comic book? It is usually life itself, which is rich enough to produce the best comedies or the darkest horror stories.

Imagine for a moment that the protagonist of this story discovered by chance that someone has been spying on him for a long time. Perhaps this surveillance has been carried out by a Big Brother, like in The Truman Show (1998) or by technology itself, as we saw in the Person of Interest series (2011). But the seed is exactly the same. Every month some spyware is discovered (sometimes by chance). This is the case of a new variant of Remote Control System (RCS) spyware developed by Italian company Hacking Team.

Wednesday, November 26, 2014

Security manuals for all tastes

Nowadays written manuals are something usual, but its history began just two centuries ago, when the evolution of scientific doctrine influenced the democratization of epistolary genre (letters) as a tool for indoctrination.

Thanks to the Internet, the concept of manual has blurred, since it can come out  on different formats now. Ranging from video-tutorials to infographics or articles on both social networks and blogs. This post is an example of it. You may want to keep it on your bookmarks, as it collects several of these manuals to learn and to master new technologies in a secure way. Let's start.

Tuesday, November 25, 2014

The burning of witches in the digital world

In classical mythology, witches were human beings with the ability to transform themselves into animals, devour souls and transform physical laws at will. It is not until 1400 when the Church accepts the presence of witches into its bosom. They were considered women who had reached an agreement with the Devil, and therefore fire was required to purify their spirit. The burning of witches was used for centuries to solve family troubles, helping to keep the retrograde belief that women were inferior and sinful.

The burning of witches has evolved over time becoming more subtle. Now the target of the fire is users or companies. For example, Sony Pictures suffered an attack yesterday. Its network was hacked what may lead to the future publication of confidential data. Movie teasers, for instance? Perhaps contracts or agreements of the film industry? We'll see what happens in the coming days.

Monday, November 24, 2014

Recipe for a healthy life in the digital world

The recipe format has been used in many areas. Gastronomy, chemistry, biology, physics... However, in computer science has not so much. At the CIGTR we like challenges so will introduce you a method of preparing a contest of digital data exhibition.

The first thing you need is two-thirds of common sense, which you will shake on our social profiles and devices in order to avoid exposing your personal data. Take at least five minutes a day to upgrade your system against Trojans like Regin. It has been messing in cyberspace since 2008. This Trojan is divided into 5 layers, each of them more sophisticated than the previous one. Its recipe was allegedly baked into some government’s oven.

Sunday, November 23, 2014

Top 5 Infosec links of the week (LIII)

Stats, brainy reports and daily observation say that:  most people online do not care to make their personal information public. Corroborates it the passion they put on entering data in social networks about their tastes, schools where they studied or pictures of their family. This data, in the hands of the right person, can become highly sensitive and be used for various scams. But ... ah! when information in danger refers to their money, things change.

Indeed, what has most worried our readers this week has been the stealing of financial information from 2.7 million customers of international bank in Hong Kong and Shanghai: names, card numbers, expiration dates and associated account numbers have been filtered. Luckily, the bank has been honest and informed customers of the problem.

Saturday, November 22, 2014

Can law save the unicorn?

We sometimes refer to current situation of security on the Internet as the Old West, but now we rectify: It’s an epic struggle where the bad guys are getting more and more clever. The forces of Good, however, act uncoordinated, sometimes even tripping up each other. We’re improving education about computer security, there are more and better programs for our protection, law enforcement agencies are up to date in this field ... But that's not enough to stop the plague. Now it’s togas’ turn: legions of judges and lawyers join the battle.

It’s this weekend big news: a Russian server showing thousands of links to IP cameras connected to the Internet. Their weak access passwords (admin, 1234) have made them easily hacked. Almost 400 of them are from Spain, showing parking places, shops or... babies!. Such oversight can only be explained by the lack of information security culture in the street, especially on devices that do not appear to pose a danger.

Friday, November 21, 2014

The suitcase of a digital spy

When James Bond needed technological tools, he went to hidden laboratories where they provided him with latest spy developments. A recorder clock, a ring with poison, or a bombproof car which was also useful to "show off" towards females.

Spies in the 21th century have at their disposal similar tools, but this time these tools are digital. They make their work easiera and force them to keep themselves contiously learning. As James Bond, they must also put them in their suitcase.

Thursday, November 20, 2014

"The Prancing Pony" and the reality of digital security and privacy

“I amar prestar aen (the world is changing), han mathon ne nen (I feel it in the water), han mathon ne chae (I feel it in the earth), a han noston ned gwilith (I smell it in the air)”. The The Lord of the Rings film trilogy, an adaptation of Tolkien's most famous novel, started this way, in Elvish. This story reflects how thousands of small accidents make up an ever-changing reality.

Some years ago, the digital world was very different. Its risk was about the same, but there was no awareness of it. Users saw the Internet as a window to a world of fantasy and black hat hackers were devoted to less hazardous duties.

Wednesday, November 19, 2014

Security on the Internet, both on your closest environment and outside

Sometimes we focus on people who are outside our closer circles and forget about the ones who are nearer to us. Cybercriminals know that and take advantage of it to draw the victim’s attention to a misleading direction.

If you need to keep conversations private using an anonymous communication channel like Tor, cybercriminals will make you think that such system is impregnable, so you trust on it and deploy some of your services taking advantage of the alleged anonymity of such network. When suspicion surfaces, they will monitor all traffic going through most of its nodes. In fact, the kingdom of Tor is not as anonymous as you could thought, according to a paper recently released: 81% of daily traffic is not anonymous.

Tuesday, November 18, 2014

Four plus two is not always six, or at least it shouldn’t be

If you ask a mathematician how much is four plus two, he will tell you that it equals six. Exactly 6. It belongs to integers with no fractions or decimals. But if you have an engineer in front of you, it gets a bit tricky. He will probably tell you that he is missing some data. Indeed it is not the same four kilograms plus 2 grams than vice versa.

Now, when it comes to information security, fractions, decimals, variables or elements are not insteresting. What it is truly interesting is the value that can be derived from such summation. So if the CIGTR tells you four recent attacks and two recommendations to foster debate, what do you think will be its outcome? Let's see.

Monday, November 17, 2014

Misuse of the Internet: Cyberbullying, theft and lack of privacy

“To say that I'd do worse things than rape is utterly appalling, it's disgusting.” Isabella Sorley, 24, showed how deeply sorry she was for all the harm she had done, on an interview for the BBC in the UK.

Isabella is one of the many other faces hidden behind an Internet troll. With this interview the BBC was trying to clarify what goes through an apparently normal person’s mind to become a monster on social networks. Trolling is one of the most harmful and difficult to control peculiarities of the Internet.

Sunday, November 16, 2014

Top 5 Infosec links of the week (LII)

What is Net neutrality? According to Wikipedia, "freedom of restrictions on the kinds of equipment that can be used on the Internet and modes of communication allowed, without restricting the content, sites and platforms and where communication is not unreasonably degraded by other communication". Most read news of this week is about Net neutrality: President of the United States’, Barack Obama, position about it.

Obama’s position was not so clear in the past, since it’s a lot of years that large companies that provide accessibility and services on the Internet face this issue: breaking neutrality means that the highest bidder will see its traffic prioritized against other, something that Obama is against, as he said to the US Federal Communications Commission.

Saturday, November 15, 2014

I spy, You spy, He spies and WhatsApp makes it optional

It's the big complaint online: "We do not have privacy, we are spied everywere". We're in a tricky territory, where nobody has yet clear limits. Data is now big, big business and people love services that are free, in exchange of their information. They don't know, or don't want to know, that less privacy is less security.

But, sometimes, we recognize the danger and react. This has been the case with WhatsApps’ blue doble check: it was activated last week, to tell the emissary of a message that the recipient has read it. After an avalanche of complaints and reports that some cybercriminals were using it for their misdeeds, yesterday WhatsApp launched a new version, 2.11.444, which allows to disable this option.

Friday, November 14, 2014

Caution, a mandatory in the digital world

The story of spy Roberto Flórez was the most highly talked about topic in Madrid at its time. This man made counter-espionage work for the Russians for several years, with some surprising movements. In this sense, he was not the most cautious person. He repeatedly offered his services at the door of the Russian Embassy in Madrid. This, added to the fact that he systematically kept all receipts and invoices from his work, led to find him guilty of all charges presented at court.

However for others it is mandatory to be cautious. For such purpose, some technologies provide anonymous communication services. At least, all anonymity you can expect from a digital system. The Tor network is one of the most common tools used by those interested in privacy. Perhaps this is the reason why this network it is continuously targeted by strategies aimed at violating its architecture. OnionDuke is one of them. It modifies binary communications using a fraudulent Russian node. If you have the misfortune of exiting through this node, my friend, your communications are no longer secure.

Thursday, November 13, 2014

Happy endings in the digital world

“They lived happily ever after.” Many of children's stories ends with this words. But in Spanish they have another end line that literally translated says “they lived happily and ate partridges.” Actually partridges have several positive connotations as a gastronomic delicacy. In the Middle Ages, only wealthy people could eat partridges. Thus, it implied that the characters would have enjoyed a full life, both at emotional and socio-economic levels. The story ended in a good way, and left you a good taste in your mouth.

However real world is not so simple. Life is a collection of experiences, some of them are positive and some negative. Depending on how you confront them you can consider yourself successful or not. Nevertheless some other stories have a clearly happy ending. Onymous was a joint operation by Spanish Guardia Civil along with Eurojust and the New York Office that has ended up with 17 people associated with clandestine activities in the Deep Web in court. In addition, they have managed o close up to 410 services hosted on the TOR network.

Wednesday, November 12, 2014

Net neutrality: Controversy is under way

Obama's statement in support of Net Neutrality was the most highlighted topic yesterday. Given its impact, it is relevant to go into detail in order to resolve some questions about the meaning and connotations of a hypothetical Internet running at different speeds.

Net Neutrality is defined as a principle that establishes that all traffic flowing through a network (in this case, the Internet) should be treated equally, regardless of its content and origin. If this principle is broken down, it could lead to a situation where the data of a video had preference against a text, or a specific media website with high volume of users gained priority over other sites.

Tuesday, November 11, 2014

Keeping Internet open, free and well protected

“More than any other invention of our time, the Internet has unlocked possibilities we could just barely imagine a generation ago. And here's a big reason we've seen such incredible growth and innovation: Most Internet providers have treated Internet traffic equally. That's a principle known as ‘net neutrality’".

With these words, Obama has positioned himself as a defender of a free and open Internet for all. He asked the FCC to ensure its future, thus turning back on companies interested in breaking Net Neutrality. Giving up on those companies wishes would have allowed large enterprises as Google or Amazon to make an unequal distribution of bandwidth according to their purposes, which would have meant a detriment for other services with no so many resources.

Monday, November 10, 2014

All about Phishing: As simple as dangerous

Saturday morning. You nicely get up, aware that you don’t have to work today, and walk along the few meters from the hall to the kitchen to make breakfast. While the milk is heating, you decide to check your email and you find something that you definetly did not expect.

Apple writes you to let you know that you have correctly proceeded to change your recovery email address to an email address that you do not know. If you did not do it, you have the option to verify it. Of course, you click on it, fill up the form with your data, and cancel the change. Wait! Have you checked the domain from which the email was sent? Have you made sure that the website you are visiting has a valid CA certificate?