Sunday, August 31, 2014

Top 5 Infosec links of the week (XLI)

"12333, a transcendental number for understanding the current technology, 5 reasons to understand why your business is under attack, switch devices death Californians and their possible harmful use to society and master keys printed in 3D". The five top post this week, directly in the Sunday compilation.


12333, the number corresponding to the executive order where all the verticals of the American intelligence agency use for the global espionage of this age. A court order that allows the analyst to skip the figure of the judge, and defending your work against other orders advocates for freedom of expression and privacy rights of citizenship.


Saturday, August 30, 2014

Our own team of Guardians of the Galaxy

"Life tends to take more than it gives, but not today, today we offer something special. An opportunity... to save others”. So animated Star-Lord, leader of the Guardians of the Galaxy, a bizarre group that makes up the single life expectancy of the universe in the Marvel film.


Heroes that never wanted to be. Heroes who represent the antithesis of heroism. Heroes like Professor Sam Bowne, the CCSF, who recently showed how doing some google hacking anyone could get into the FTP open server with an 6,073 medical records Medical Center EA Conway.


Friday, August 29, 2014

Twelve triple three

Keep this number in mind: Twelve triple three. This is the name given to the key tool for lifting the current US intelligence network.


12333 could have been just another number but instead it gives the name to one of the most controversial executive orders in American law. Thanks to it, it was possible to weave the US global monitoring system and it allowed the government to bypass other previous laws that protect citizens’ privacy rights, according to John Tyde, formerly of the NSA.


Thursday, August 28, 2014

A switch is not enough to turn off threats

Would you kill your phone? No, it's not a set phrase. We are not referring to those moments when it gets stuck just when you need it, or those times when it dials your mother by itself. The question is if you would leave your cellphone useless for ever and ever.

You may think we make a slightly odd questions, right? Why would you immolate your phone? Maybe because someone stole it and there is plenty of private information or even compromising data stored on it? Or simply because you do not want the thief using it or selling it? Lawmakers in California (USA) believe they have come up with an effective measure to reduce the number of stolen phones, which has become a serious problem in its streets. The law will require phone manufacturers to implement a default "kill switch" on all of them by next July. This system must be able to remotely lock the device and wipe all its data. It is expected that the switch arrives to all the cellphones worldwide once manufacturers abide the California standard.


Wednesday, August 27, 2014

You have the door, cyber criminals seek the keys

Our home’s door is what separates our private and family life from the rest of the planet. We feel safe inside, we feel at home, leaving out the problems and dangers of the world outside. So when a thief breaks the privacy of our home, we feel naked, outraged.

We all know some of the methods used by criminals to force a door lock: the typical lockpick to smash both the door frame and the door itself, an x-ray sheet to overcome flimsy locks or ripping the door by piercing the wall around it. However, experts in locks Jos Weyers and Christian Holler have shown how easy it is to print a “bump” key based on a photo of the lock thanks to 3D printing and use it to open such lock bumping the key with a hammer, as you can see in the video that accompanies this article. Again, technology can be exploited by criminals in a dishonorable way.



Tuesday, August 26, 2014

Hacking is not a video game

What was the game that changed your life? A Super Mario or Sonic one? Maybe GoldenEye for Nintendo 64 or Metal Gear Solid for Playstation? Perhaps the Call of Duty, Grand Theft Auto or Assassin's Creed sagas? The electronic entertainment industry has given us so many masterpieces that is difficult to choose only one, right?


For some Chinese hackers however fun begins when they gain access to video game development companies’ systems and steal the source code of each game. That way they can crack them for free use and free distribution. Furthermore, the code allows them to develop tools for cheating and get higher scores than their competitors. According to a report by Dell SecureWorks, in many cases these amateur hackers use further sophisticated hacking techniques than those used by the Chinese government's own hackers: investigating public employee information to locate the ones with appropriate privileges, performing brute force attacks to find out their credentials and, once in their possession, accessing the company’s system and installing malware.


Monday, August 25, 2014

Frying your brain is risky business

“I like nonsense; it wakes up the brain cells.” At the time when writer Dr. Seuss made such statement, probably no one could imagine that, in the XXI century, researchers at University of Oxford will discover that electrical brain stimulation kit can improve attention.


Transcranial direct current stimulation (TDCS) technology applies small electrical currents directly onto the scalp, thus stimulating neurons. The results in the laboratory are promising, but it is still an immature technology. However some companies are using the hype to bring this kind of devices to the market targeting gamers, which could be harmful if they are swayed by advertising claims without knowing the risks. Therefore, some voices in the scientific community are calling for its immediate regularization.


Sunday, August 24, 2014

Top 5 Infosec links of the week (XL)

"Senior security with no technical profiles, banking phishing campaigns, HTTP Shaming, IoT and routers vulnerable pro-privacy". The five top post this week, directly in the Sunday compilation.


Michael Daniel, security coordinator for the White House enters our top of the week with some unfortunate words ("I am proud of my ignorance") to reopen the discussion on whether senior managers should or should not have a technical background.


Saturday, August 23, 2014

Sins write history

"Sins write history. Good is silent". How right the poet Johan Wolfgang Von Goethe to assert this claim. Because if something gives to a written undoubtedly tends to be a sin that someone did.


We see it in the day-to-day security. A company does not jump to the media for having done very well (at least not usually), but when one of their services is assaulted, as I recently went to GMail for Android (although claim that affects both iOS and WP8) . A group of researchers from the University of California and the University of Michigan have identified a vulnerability in the sandbox where supposedly are stored records of each application that would allow an app to access another, stealing 92% of effectiveness private data GMail account of the victim. A fraudulent application seems to be all this team needs to install for sin.


Friday, August 22, 2014

The Commandments of Safety

“You don't have to be a coder in order to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction.” Michael Daniel, who currently is the White House’s security coordinator, began his interview for GovInfoSecurity with these words.


In fact, such words inspired Network Security’s editors who opened an intense debate about the viability of senior management without technical profiles. Among its supporters, Michael Daniel himself highlights the importance of decision making supported by a group of techie consultants. On the contrary, Martin, an editor at Network Security, recalls the danger involved in making a decision for the future of a country’s security ignoring its mid / long term consequences.


Thursday, August 21, 2014

UPS, Windows, Android and Stanford University in the crosshairs of cybercrime

In the last century, Canadian philosopher Marshall McLuhan said “money is a poor man's credit card.” Since then, these little pieces of plastic have evolved and have carved out a niche in our pockets. However, the success of bank cards as payment method has also caught the attention of cybercriminals.


In fact, since late 2013, we are constantly witnessing cases of large companies whose outlets have been infected with malware aimed to steal their customers’ card data. Such situations are common especially in the USA, where the proportion of magnetic stripe cards is still very high. Yesterday we learnt of a new case affecting UPS logistics company. In an announcement on its website, it acknowledges that malware has been detected in 51 of its franchised stores in USA, which represent 1% of the total. It also claimed to have recorded 105,000 transactions in the impacted branches, but the number of users affected is unknown.


Wednesday, August 20, 2014

Education and awareness are key for cybersecurity

“The key to combating these types of attack is continued education and awareness.” Security consultant Ken Westin at Tripwire refers to phishing attacks suffered by the US Nuclear Regulatory Commission’s employees. At least three of such attacks have been effective in the past three years.

Indeed the computers of the American institution that regulates the nuclear power industry in United States have been hacked twice by foreigners and once again by an unidentified subject. One of phishing attacks hit over 200 employees of the organization. A dozen of them took the bait and facilitated their credentials to the attackers following a link to a Google Docs spreadsheet. Although the intrusions were resolved immediately, the seriousness of the matter lies in the large amount of sensitive information about the US nuclear energy industry managed by the Commission.


Tuesday, August 19, 2014

Threats without borders

“Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders.”  Although he was born in the early 20th century, former President of USA Ronald Reagan understood that we cannot put any barrier to information.

However, despite the advantages that a borderless Internet offers, malicious actors can also take advantage of them to remotely carry out their acts of villainy from thousands of miles away. For instance, the network allows Chinese hackers to penetrate the systems of a U.S. hospital group called Community Health Systems and steal data from 4 million and a half of its patients: names, addresses, birth dates, phone numbers and even social security numbers. Valuable information that they may be sold to the highest bidder on the black market or use it to impersonate the victims.


Monday, August 18, 2014

Internet's festivities last all year


At this point of the year, many Spanish towns celebrate their patron saint’s day celebrations. Far and wide across the country, villages get dressed for this special occasion and significantly multiply its population in this period. These are days for bull runs, ‘charangas’ (brass bands), religious processions and ‘verbenas’ (open-air dances); a lot of food and, perhaps, too much drinking; it’s a time to be shared with family and childhood friends.

You could say that the Internet has its own festivities, but in this case the celebrations are held throughout all year. In "cyber bull runs", instead of bulls they are distributed denial of service (DDoS) attacks, which are becoming more and more "savage" year by year. In the second quarter of 2014, the average peak size of these attacks has increased by 291% compared to the first quarter, according to a report by VeriSign. In this regard, 65% of them exceed 1 Gbps.


Sunday, August 17, 2014

Top 5 Infosec links of the week (XXXIX)

"The security of passwords, intelligence agencies, biometric identification systems, the death of Robin Williams and the dangers of ransomware in the register of hospital patients". The five top post this week, directly in the Sunday compilation.


The first post of this top is about the relative ease with which any amateur to bypass protections if he has enough time and desire. From tools that allow us to democratize brute force passwords to managing real botnets infecting users with automatic techniques exploits.


Saturday, August 16, 2014

When attacks used seemingly legitimate tools

"What he may want a flashlight app access gyroscope?”. Perhaps to control flash intensity when he inadvertently put the smartphone or the tablet upside down, or perhaps for other thing.


Researchers at the University of Stantford and Israeli defense department found a much more practical use: listening to conversations near the device. How is this possible for a gyroscope behaves as a microphone? Analyzing changes in air pressure produced by the voice, and taking advantage of that so far, at least in Android, the sensitivity of these sensors is not restricted to less than 100 Hz. To make matters worse, neither Android nor iOS (the two mobile operating systems studied) allow the user to deny gyroscope access to applications, so that we can consider that all terminals are now vulnerable to this kind of attacks.


Friday, August 15, 2014

Go in, don't bother knocking

A password like 'N^a&$1NG' could be cracked in approximately 3.75 days using an AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack 'GoodLuckGuessingThisPassword' using the same GPU. Of course not all passwords are broken by a brute force attack.

It's your choice: complexity in exchange for password length, or a long-phrase in exchange for social engineering attacks? Whatever you choose, if you do not have locking mechanisms or 2FA, the passwords for your users (or your's own) will fall down one after another. If this is like this when trying to put it difficult to hackers, in corporate environments things are even more complicated. "Who needs a hacker?" when Password1 will open one out of three business doors, is what Darren Pauli from The Register wonders. The security firm Trustwave has tested over 625,000 passwords, and broken 92% of them in a month... most of them in the first few minutes. This time, the most common password was Password1 followed by hello123, password and welcome1.


Thursday, August 14, 2014

"If we get caught..." The Plan B of cyber espionage

"If we get caught, we can always point the finger at Israel.” That's the particular sense of humor of the US National Security Agency’s Tailored Access Operations Team (TAO), according to NSA’s former contractor Edward Snowden.


Yesterday the prestigious Wired magazine published an interview with Mr. Snowden, who had to flee from USA after revealing the questionable spying practices of NSA and many of its irregularities. Therefore, whenever this whistleblower speaks out, he captures everyone’s attention. This time, he uncovered the TAO team was behind a massive outage of Syria's internet access in 2012 while they were trying to install a wiretap on the country's networks. They tried to fix it and wipe their tracks but they failed. Then someone snapped the phrase that opened this article. He also spoke of the MonsterMind system designed to detect computer attacks against American servers, block them and counterattack automatically without human intervention or authorization.


Wednesday, August 13, 2014

Passwords, can we live without them?

“Password”, “access code”, “key word”, “watchword”... You can give many names to the string introduced by you to access your devices, networks and Internet services. In many cases, this combination of letters, numbers and even symbols, which should be only known by you, are the only thing that protect your data from the prying eyes of others. It is therefore very important to choose them wisely and renewal them so often.

Unfortunately it is increasing the number of people looking to make profit one way or another out of your personal data and the information stored on individuals or businesses’ systems. All security breaches that have happened in 2014 are the best proof of that. In fact, some people have already called this year "The Year of the Data Breach". According to a Trend Micro's report for the first half of the year, in the first six months of 2014, 400 data breach incidents were reported exposing a more than 10 million personal records.


Tuesday, August 12, 2014

Robin Williams, hacker of laughter

Actor Robin Williams knew what commands should be executed to make us smile or what combination of keys he had press to provoke a good laugh. It was the best hacker of laughter for a generation that grew up wishing to fly like Peter Pan, to have a nanny as Mrs. Doubtfire or to play the incredible Jumanji. Unfortunately, versatile Mr. Williams died yesterday afternoon at the age of 63 years old. With him they also go away his thousand and one voices.


Unfortunately, some hackers have less laudable intentions. For instance, the Russian cybercriminal group called CyberVors which accumulated 1.2 billion user credentials, as we told you last week. Now it seems that at least 2,285,295 of them belong to accounts of 5,929 Australian websites.


Monday, August 11, 2014

Technology is never totally harmless

Comedian Cheech Marin once said "the reason we're so dangerous is because we're totally harmless." Indeed, we could say that human beings are apparently harmless creatures. But we all have experienced at some point the damage that we can inflict to each other.


The same happens with technology. We normally use many devices and systems which we have at our disposal, but we are not aware of the latent threats that they bring. For example, mobile phones. How many people are unaware of the risks that these gadgets pose to your privacy? In this sense, Chinese manufacturer Xiaomi announced that it has already solved the problem of privacy alerted by security company F-Secure last week. Users were sending without knowing the details of their operator, phone number, IMEI,phone  numbers of their contacts and text messages to the company, even if they had switched off all the options related.


Sunday, August 10, 2014

Top 5 Infosec links of the week (XXXVII)

"Chinese Hacked Hotels, cybercrime industry, the danger of mobile, connected households and poor security IT systems in medical institutions". The five top post this week, directly in the Sunday compilation.


What if we meet in the same hotel a security expert and rooms with home automation services whose requests travel the same WIFI network for navigating clients? Secured party, as we demonstrated Jesus Molina in BlackHat this year. Full access to requests from other customers, and may cancel or even supplant.


Saturday, August 9, 2014

As a conventional business

"Customer service is an important for business value. If you want people to come back and buy from you on a consistent basis, offer them something and give them a reason to come back to you". Something that every entrepreneur has instilled in his DNA, and it works well both legitimate businesses and those who do not son.


It would be impossible not to talk about some of the news that have left both BlackHat and DefCon 2014. Between them, the Tom Holt’s talk, associate professor at the University of Michigan and professor specializing in cybercrime, which chronicled thus how large communities of cybercriminals operate under the same selling strategies any other business. The customer care is vital, providing confidence and security, contingency plans against (not going to be that of those 500 card numbers, one is no longer in circulation) and even advice for the crimes.


Friday, August 8, 2014

Two and two is four... by the moment

"Freedom is the freedom to say that two plus two make four," says a desperate Winston in one of the most famous 'dystopias' of literature: '1984' by George Orwell. Nobody in his right mind would deny that two and two make four, right? And it would even sound like a joke that it was a law intended to change it, right?

A few years ago, it was just as ridiculous the thought of Western and democratic states developing malware and exploiting system backdoors. Maybe in science fiction... Mikko Hypponen, chief research officer at F-Secure, has expressed that with a combination of indignation and complaint: "The idea of a democratic western government backdooring systems to spy on another democratic government? But that is where we are." These are words from the Black Hat 2014 conference, which has just finished in Las Vegas, occupying the covers of all technological media and even some more generic.


Thursday, August 7, 2014

A luxury hotel, an iPad and a thwarted night of passion

Imagine you're having a night of passion with your partner in a luxury hotel in the Chinese city of Shenzhen. Suddenly, the lights start to switch on and off. The blinds open and close for no reason. That would cut your carnal appetite, right?


Security analyst Jesus Molina could have broken up to 200 moments of ardor at the St. Regis luxury hotel in Shenzhen when he began to investigate how the iPad provided by the hotel to control the lights and blinds of his room worked. He discovered that the such system implemented an old protocol called the 90 KNX/IP, which is widely used in China and Europe for hotel device automation. Although it has been released a new version adding some security features since then, a few users have updated. So Mr. Molina took advantage of its weaknesses and found out that changing the last digit of the IP he could take control of other rooms.


Wednesday, August 6, 2014

Cyber crime is an industry and its raw material is our data

Criminal groups operating on the Internet have become an industry which is feed by our personal information for many of its activities. Many of these gangs work similarly to small businesses in which each component has a specific function.


For example, this kind of working dynamics was adopted by the Russian cyber criminal group which has stolen the largest number of user credentials known to date. While some of them program, others subtract user’s data. Thus, they have managed to amass 1,200 million usernames and passwords combinations and more than 500 million email addresses. To do this, they have used botnets of infected computers. Taking advantage of these "zombie computers" they have been able to check what websites were vulnerable to SQL injections and thus they extracted information from their databases. Among the 420,000 affected sites, there are both sites from Fortune 500 companies or from small business.


Tuesday, August 5, 2014

Cellphones are more dangerous than ever

"This didn’t happen to old cellphones." This is what your father could say when you tell him that your mobile phone has been infected by a virus. Unfortunately, the connectivity of these devices to the Internet and the proliferation of applications have boosted the number of infections and other types of threats.

According to a report by Cheetah Mobile, 9% of the roughtly 24 million Android apps analyzed contained some kind of malicious code. It is a 20-fold increase over 2 years ago. In addition, another study by mobile app risk management solutions provider Appthority highlights that 99% of the most popular free Android apps have some type of behavior that poses a risk to the privacy or security of organizations. The figures on paid apps substantially go down. On iOS 87% are potentially dangerous, and 78% on Android.


Monday, August 4, 2014

A connected home is a more dangerous home

The prestigious Collins english dictionary defines "thing" as "any inanimate object." This definition is not very helpful when it comes to explain what the "Internet of Things" (IoT) is. IoT is the growing trend of providing an internet connection to devices that have traditionally always worked without it. For example, washing machines, refrigerators, televisions, lighting systems, etc.


BBC’s technology correspondent, Mark Ward, wonders what security implications such "smart appliances" may have for people’s lives. Most of them are connected to WiFi networks so they can be controlled from a mobile app. But as security analyst Dan Cuthbert said, most manufacturers do not invest enough money to develop secure management apps. Nevertheless he admits that nowadays the risk is minimal, but at the same time he warns about the risk of sensitive information leakages when these devices become mainstream.


Sunday, August 3, 2014

Top 5 Infosec links of the week (XXXVI)

"What they have in common the moon and computer security, the dangers of TOR and intelligence agencies, the CIA alleged espionage, cyber criminals posing as Google bots and cyber theft". The five top post this week, directly in the Sunday compilation.


The moon has two faces, as computer security. In one of the articles of CIGTR that has crept into the top of the most watched in recent days, we talked about the secrets of the information security, that like the hidden side of the Moon, keeps surprising side.


Saturday, August 2, 2014

The U.S. secret

Why USA has best machine to produce technological innovation? It's a question many governments are asking, and allows Americans to enjoy a preferred position in the mundial economic division.


To Veiko Lember, director of the School of Innovation and Governance Ragnar Nurske, Tallinn University in Estonia, there is a simple answer. And along with Rainer kattle and Tarmo Klavet just published the book "Government Procurement, Innovation and Policy: International Perspectives", where disclosed, inter alia, the United States Secret: fierce commitment technology outsourcing companies under the umbrella of intelligence agencies and the military. A strategy that leads them to take greater risks at a much faster pace other countries, and thus, learn from your mistakes and produce major innovations. That, coupled with a strongly patriotic politics and a society that favors military spending "in exchange for greater national security".


Friday, August 1, 2014

The far side of the Moon

A study by the University of California just determined that the Moon is not round as believed, but lemon-shaped. It is even ensured that this shape is the result of tidal influence, which has always been studied the other way around. Anyway, what remains unchanged is that the moon has two sides. A visible one; a hidden one. Just like information security.



The difference between the Moon and infosec is that infosec’s dark side is not always the same. It basically depends on who is more skilled to hide whatever he wants, or to hide himself wherever he wishes. The CIA has acknowledged that it spied on a computer of the U.S. Senate Committee on Torture. It did it indeed, but as remembered with much sarcasm by Robert Graham at Errata Security blog, it was actually spying on "itself". It created a network secured by the CIA itself and was able to check what attracted the attention of researchers, allowing it to reclassify the most "compromising" documents on the go.