Tuesday, September 30, 2014

Risks of cutting the cake into pieces

Risks, you say? Even history cannot get rid of them. Ephemeris: Such a day like today, on September 30 in 2005, the Parliament of Catalonia approved its third Statute of Autonomy. The calendar’s whim makes that other similar debates pose risks to both Spain and the autonomous region nine years later.


Daily life carries risks at any level. Those risks have to be addressed preferably in a better way than the arrival of iOS 8 in the market. After the initial fright brought by its version 8.0.1, which left the new iPhone 6 without a network connection, now it comes the 8.0.1 one, which may erase the data from your iCloud account. At least in this case, the bug only affect us if we reset the device to factory settings from its menu, so if you've already upgraded to 8.0.2, do not ever reset it.


Monday, September 29, 2014

Security behind the scenes

There is a popular saying, "Life is like a play, with the only difference that life is an ongoing premiere and unfortunately you can not correct the mistakes." Art on stage competes in terms of strategy and passion with life out of them. For instance, computer security affects all the premieres that society lives everyday.


The first thing we’ll do to start the week is to update our diary. We step in October, when they will take place several meetings of the security industry. Lorenzo Martinez (@lawwait) reminds us the dates of various security events for passionate people about technology like all of you. Navajas Negras being held in Albacete, 8.8 in Chile, ConectaCON in Jaen, GSICKMinds in Corunna, EkoParty in Buenos Aires, and of course, No Name cON in Barcelona.


Sunday, September 28, 2014

Top 5 infosec links of the week (XLV)


Be careful what you wish for, because you can make real. It is a sign of wisdom that can be applied to US actor Harvey Keitel, when he said that "an actor is always naked on screen, even if it is dressed." It's near one month from leaked naked pics of Jennifer Lawrence, Kate Upton and other celebrities, in the 4Chan forum, and the topic remains highly topical. Of course, with the permission of Shellshock, the most serious vulnerability since Heartbleed, and in the way to become the biggest issue on security of this year.

Another scandal of leaked naked pics, this time starring Kim Kardashian, pushed up again the hashtag #CelebGate or #CelebLeaks. Over the past seven days it was clearly the most clicked issue shared from this blog and from CIGTR's social networks. Will be Kardashian's leak the last one? Not expected, as well as this scandals are synonimous of great online echo.


Saturday, September 27, 2014

Milestone to milestone


When the year ends and many of us will summarize all incidents on Security in 2014, surely we have the perception that the most serious situations have exceeded predictions made in December 2013. At the moment, vulnerability 'Shellshock' that has shaken violently this week the industry, has all the earmarks of becoming the most important issue of the year

Look at anywhere you want, and there is virtually no talk of other matters, in all cases with a common denominator: every patch released in recent days is welcome, but beware of being trusted because that's not not enough. The security hole is there, alive, used by cybercriminals taking advantage, and they will not miss the opportunity to gain such a tempting slice.


Friday, September 26, 2014

The weak have one weapon

"The weak have one weapon: the errors of those who think they are strong." Georges Bidault, a French politician from the Second World War, used this quote to point out the biggest danger that society were already facing at the time: not recognizing its own mistakes.


Over a half century later, his words come to our mind when learning some of the multiple dangerous implications of Shellshock, a security hole on how Bash manages environment variables, for the future of the Internet as we know it. ELF_BASHLITE.A is the technical name of the first discovered malware specifically designed to exploit this vulnerability, which allows to perform brute force techniques to steal login credentials through some simple commands, impersonating identities and refusing service on any vulnerable server connected to the Internet (which today are the vast majority).


Thursday, September 25, 2014

Self-destructive digital management of the human race

"While the tiger cannot stop being a tiger, it cannot be de-tigered, man lives in perpetual danger of being dehumanized." This lurking danger, brought out in this quote by Ortega y Gasset, is on our own nature and leads us every day into a self-destructive situation of risk.


The story of the day, and presumably, of the month, is the discovery of a serious vulnerability in Bash variables management, which is the command interpreter for Unix operating systems (Linux and OS X). Such bug allows to execute code ignoring all kind of protections. Some experts began to consider it as the new Heartbleed because it practically affects the vast majority of services, whether they are websites using accessible CGIs, servers with SSH enabled, DHCP clients with shells, applications, operating systems based on Linux (like Android), ATMs, smart TVs, so basically any tool running over a Unix shell system. Most distributions are working on fixing the problem. Patches for different services  have started to emerge, but as usual, it requires every single administrator of these kind of systems implementing the patch and it could take long.


Wednesday, September 24, 2014

The size of cyber security does matter

“I was a little surprised to see that there were no significant signs of improvement." Marc Rogers, principal security researcher at mobile security firm Lookout, said that in an interview by Information Security Media Group, just after unveiling the new company's success.

We talk about it yesterday: Biometric systems have complex security problems to be solved. The biggest one is the possibility that an attacker gains the unlock pattern and prints an object with it to unlock any device. At the time, it happened with the iPhone 5S fingerprint reader, and has again occurred with iPhone 6 TouchID. The worst part is that in this new version it not only allows to unlock the device, but also to make purchases with Apple Pay and access personal health data.


Tuesday, September 23, 2014

Security perimeter goes wider

"Our members already cooperate intensely with their own, national police authorities in order to fight with financial cybercrime. Our partnership with Europol now adds a European dimension to this important work. International cooperation between banks and law enforcement bodies is essential because it is clear that criminals know no borders." With this words Mijs Win, Chief Executive of the European Banking Federation (EBF), announced the beginning of a partnership between his organization and Europol, in order to address cybercrime.


This cooperation is necessary to protect one of the most common targets for cyber criminals, credit cards and financial data. That means that two vital elements for securing transactions in Europe join efforts: banks and international law, which is the main obstacle that the police has to face when hunting down criminal gangs.


Monday, September 22, 2014

A new version of “I have a dream”

I have a dream that one day this nation will rise up and live out the true meaning of its creed: 'We hold these truths to be self-evident; that all men are created equal.’" Perhaps this is the most famous part of the speech by Martin Luther King 51 years ago, in clear reference to the Emancipation Proclamation. Today 151 years ago, Abraham Lincoln announced freedom of all its citizens, whether they were black or white.
At the time, they live a situation relatively similar to the one we are experiencing in the third environment. Freedom is restricted, tainted by the abuses of a few people against the rest of society. Such abuses attack our right to privacy. For example, one of those is the leak of nude photos of celebrities such as Kim Kardashian, Vanessa Hudgens and Mary-Kate Olsen arising again in 4chan and Reddit threads.


Sunday, September 21, 2014

Top 5 infosec links of the week (XLIV)

"Journalism large consists of saying 'Lord Jones is Dead' to people who never knew that Lord Jones was alive". This quote from British writer G. K. Chesterton is good enough for ending this week, once again plenty of news in their own right. 'Lords Jones' that we never knew just a month ago.


Home Depot and #CelebLeaks cases capture all infosec attention during the last weeks. This entry on stage from huge stores (Home Depot) and a large company with brand personality as Apple (iCloud), has the power to create more awareness all along the planet. Where we never Knew of 'Lord Jones' at PoS or pictures supposed to be private, now we learn the lesson for next time. So what? We are suddenly interested on this Lord.


Saturday, September 20, 2014

Never take hasty decisions

"I quit, I quit, I quit!!" If someone makes you believe that you have what you don't have, it's easy to take hasty decisions. As Geoffrey, the servant in the famous series 'The Fresh Prince of Bel-Air', when Will Smith and Carlton Banks make him think he's won the lottery, in one of his most memorable scenes.


In this digital age... How you'd steal someone? The easiest way to your goal is that this one is confident, someone who believes that his goods are inaccessible, someone who thinks he's safe enough. If you succeed, maybe he sidetracks its backdoors and allows a stranger to know you like the back of the hand. That applies to any consumer at any store that suffer the attack of a specific malware (such as the recent case Home Depot), and also applies for a government contractor. Up to 50 companies, according to a US Senate report, have been breached in the last year by Chinese hackers, who would have had access to countless data and sensitive information.


Friday, September 19, 2014

Honey of the Internet

“The only way to be sure of winning a war is to prevent it.” This quote is attributed to the American military and politician George Marshall, Nobel Peace Prize winner and author of the famous Plan that bears his name. We take this principle as a guide for this post, and hopefully as a fundamental principle to be applied henceforth in the digital world.


Home Depot, the largest chain of DIY stores in America, suffered a malware attack last week that put in danger the electronic wallets of 56 million customers. Today, such malware has been removed from all its systems, and it’s time to make a recap of the event. This malware was specifically created for Home Depot, bypassing all the company’s security systems and remaining active since April this year.

Along with Home Depot, Goodwill, which sells donate clothing and household items in 3,000 stores, discovered a security breach on its payment system. Neither Goodwill, nor its payment service vendor, C&K Systems, realized the problem until 18 months after! Cyber criminals could have taken advantage of these 18 months to compromise the security of at least two other organizations.

These are two more examples of the fierce war being waged in the third environment. Such environment is shared by companies, distributors and users, affecting all of them equally. Therefore it is not surprising that large companies are securing their services as much as possible as an element to differentiate themselves from the competition and gain new customers.

You witnessed so here on yesterday's article where we told you about Apple’s statement: the customer is not the product, clearly alluding to its main competitor, Google. Nonetheless today we got Google's response, reporting that Android L will encrypt user data by default. Two strategies aimed to protect privacy, and also allow to technically avoid personal information requests from government intelligence agencies.

Protecting your users/customers as well as your infrastructure. Is your company prepared for a phishing attack? On his blog, Chema Alonso recounts a phishing attack simulation performed by his company for its workers, noting that although a minority, it still affected a significant percentage of them, which endangers all computer system accessible by the victim.

What about APTs and other malware aimed at gaining control of your servers? To perform this kind of simulations the best way to do it is by creating decoys, called honeypots in computer jargon. Encapsulated in a sandbox that prevents the spread of attack to real systems, they attract prying eyes of innocent users and allow you to monitor the attack vectors and techniques used.

We made an extensive tour just the opposite way we should address computer security. Firstly you must impose active and passive defense measures, train your workers, implement security systems for your customers and, if your defenses are still violated, warn and eliminate hazard ASAP.

Thursday, September 18, 2014

Unprecedented technological privacy

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.” Cupertino chose these words to informed about its policy change against government data requests.


The consequences of Wikileaks and Edward Snowden’s revelations are shaking the technological landscape like never before. With this statement, Apple claims that henceforth it will not longer give access to its devices at law enforcement’s requests. The way they did it is similar to the movements of most large companies in the sector: encrypting data and make it inaccessible from their own servers.


Wednesday, September 17, 2014

To endear oneself to vulnerabilities

"From less to more" - which is the title of one of the songs by Spanish actress and singer Rocio Durcal - "I let you love me, you came into my life."


This is something that happens every day in the third environment. German telecoms let the NSA and the GCHQ in the UK love them under the umbrella of the "Treasure Map", a world map aimed to locate and monitor every Internet-connected device in almost "real" time. Divided into different layers, as shown on the picture, it would offer (if is not already doing so) one of the most powerful tools for the massive espionage.


Tuesday, September 16, 2014

A cyberspace with sunny spells

“To maintain public confidence in both government and technology, we need legislative reform that ensures surveillance powers are transparent, reasonably scoped by law, and subject to independent oversight.” Google's legal director, Richard Salgado, took advantage of the presentation of the company’s tenth Transparency Report to demand more transparent laws that clearly define the conditions and protocols to be followed by both governments and businesses when law enforcement request users’ personal data.

The report released yesterday points that the number of requests for personal information made by governments around the world in the first six months of 2014 rose up to roughly 32,000 petitions, 15% increase when compared withthe second half of last year.


Monday, September 15, 2014

The key to security: learning from mistakes

It is said that man is the only animal that trips twice over the same stone. How many times do we have to make the same mistake before learning the lesson? Probably it depends on the severity of its consequences.

Following the leakage of the intimate photos of nearly a hundred celebrities a couple of weeks ago, a third of respondents to a survey carried out by YouGov and Tresorit claim to have improved the security of their online accounts. 20% of them declares that they they changed their passwords for stronger ones, 1 in 10 changed their social accounts’ privacy settings and 6% of them  activated two-steps verification.



Sunday, September 14, 2014

Top 5 infosec links of the week (XLIII)

"Tips to protect our accounts, the 15-year WIFI protocol, CelebGate, personal information at many security breaches that rewrite history". The five top post this week, directly in the Sunday compilation.


5 million is the latest scandal currently plaguing technology. 5 million GMail accounts released on a Russian forum. 5 million accounts, subtracted using different techniques of phishing and social engineering, reminding us once again the importance of activating the double authentication.


Saturday, September 13, 2014

Explosives hacks

"How to protect yourself from abroad in a world full of windows? How should we address the digital security in a diverse and complex environment? Surely we are facing the questions that we have become one.


The revolution of the Internet of Things, the immediacy of communications and the proliferation of new devices are generating thousands of new attack vectors that can (and do) affect deleteriously to nearby systems, exposing data third and even endangering the lives of people.


Friday, September 12, 2014

The fight for your personal data takes place every single day

“Get up, stand up, Stand up for your rights. Get up, stand up, Don't give up the fight.” These inspiring words from the song "Get up, stand up" by Bob Marley encourage us today to reflect on how we defend our rights, specifically our right to privacy.

Since the former contractor of the National Security Agency Edward Snowden reported its abusive surveillance practices carried out in the Prism program framework, it appears that most of governments, businesses and citizens have begun to understand that their personal data is a treasure and they must protect them from strangers.


Thursday, September 11, 2014

Five million reasons to better protect your online accounts

Five million. Five million viewers watched the first episode of TV series "The Closer" on its release in USA. Five million is also the number of copies of "Who Made Who" album sold by the rock band AC / DC. The age of Santa Cruz Islands, discovered by the Spanish navigator Álvaro de Mendaña in the Pacific, is also five million years. Five million dollars was the reward offered the FBI and D.E.A. for the capture of Colombian drug lord Juan Carlos Ramirez Abadia.

Now we can add to previous figures the five million Gmail accounts leaked to the Russian Bitcoin Security online forum. The user who posted the list of emails also claims that he has their passwords, which 60% of them are valid. To give you an idea of ​​the scale of this theft, it is almost equivalent to the population of the metropolitan area of ​​Miami.



Wednesday, September 10, 2014

Wi-Fi, 15 years of advantages with some added risks

Many of us have ever dreamed that we were teleported. Being able to instantly move from our bed to the bathroom, from home to the office or from Madrid to Los Angeles sounds great, right? But all attempts to do so so far have been just an illusion, like on the video that accompanies this article.



However, there is indeed a technological development that teleports all types of content: posts, news, movies, music... It is in our home, in libraries, factories, airports, and even at city buses. The vast majority of us use it every day. Surely you already know that we are speaking about Wi-Fi. Perhaps what you did not know is that the Wi-Fi Alliance - the international association that promotes this technology - was born 15 years ago. This association celebrates its 15th anniversary in 2014 with some impressive facts: over 22,000 certified products; Two billion Wi-Fi devices sold in 2013 alone; today 25% of homes around the world enjoy this wireless connection.


Tuesday, September 9, 2014

Stitches to close wound caused by personal information breaches

“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred." With these words, Frank Blake, chairman and CEO of the largest DIY retailer in the world, Home Depot, confirmed the worst fears.

Data from credit cards of million Home Depot’s customers may have been stolen by cybercriminals between April and September 2014, and would be selling at a clandestine Internet corner known as Rescator.cc. It is still not confirmed the number of customers affected, but it is speculated that could be the biggest information breach in history. The criminal group have infected the point-of-sale systems from more than 2,200 stores that Home Depot has in North America with a malware called BlackPOS. This malicious code captures credit card numbers from memory before being encrypted. In an attempt to reassure consumers, DIY giant has stated that they will not have to take any responsibility for fraudulent charges made on their cards.


Monday, September 8, 2014

Don't let cyber crime undermine your spirit

Motivational expert Harvey Mackay argues that "When you wake up every day, you have two choices. You can either be positive or negative; an optimist or a pessimist." But it is usually more difficult for us to keep a positive thinking on Mondays. Especially if we began the week with news like these:


Cybercriminal activity in China doubled between 2012 and 2013, according to a report by Trend Micro. Nowadays there are fewer barriers to commit crimes on the Internet. Malicious tools are cheaper while they grow in sophistication and number of features. The greatest interest of the Chinese underground market is concentrated around compromised hosts, distributed denial of service attacks services and remote access tools (RATs).


Sunday, September 7, 2014

Top 5 infosec links of the week (XLII)

#CelebLeaks, #CelebLeaks And #CelebLeaks. Or if you prefer #CelebGate, as it has also been called. There's no doubt about it: this is the main topic of the week now ending. Whether curiosity about the iCloud security, whether another kind of curiosity, your clicks are unequivocal about it. If a topic has especially motivated the community the last seven days, this has been the leak of nude celebrities pictures. Leak due to... vulnerability, hacking, cluelessness?



This week we've been going this way: Apple denies, Apple recognizes... The post on Forbes where we picked up the story on Monday, showed that doubt from the beginning: "It is unclear whether the celebrities did not properly protect their accounts, if a vulnerability was found in iCloud or if something else occurred". In any case, this leak has led to many misunderstandings. Among them, one highly publicized on CNN: the 'ephemeral' forum 4Chan was the location for spreading the #CelebLeaks, and hours after an "expert" on American TV station was speculating about the identity of this "user" called 4Chan .


Saturday, September 6, 2014

Take cybercrime to task

"Write to me, please, with your own take on the 2014 Faces of Fraud. Tell me, please, what you’re going to do to help write a different storyline for 2015.". Tom Field, VP Editorial of Information Security Media Group –Risk Information Today, among other renowned blogs– signs this petition.

This reference is part of the introduction of an extensive and precisely documented report entitled The Faces of Fraud in 2014 The impact of retail breaches. Throughout 40 pages, the report details a comprehensive survey on the exposure of outlets the most important breaches, especially Target case; it also incorporates the views of various experts about incident response, awareness, improved security and forecasts for the medium term future. Having lived this week what has been described as possibly the greatest security breach of its kind, the Home Depot case, this report is entirely valid.


Friday, September 5, 2014

Hacking other's account is not art but a crime

The famous Spanish artist Pablo Picasso said "Art is washing the dust of daily life off our souls." So the artist XVALA has decided to dust off the lives of model Kate Upton and actress Jennifer Lawrence. On October 30, he will display their nude photos at the art show "No Delete" in Los Angeles. None of these two women posed for him, but he will take advantage of the photos stolen and made public on the Internet a few days ago by a hacker who broke into their iCloud accounts.


Wired magazine revealed that one of the tools used by individuals who compromise accounts such as iCloud ones is Elcomsoft Phone Password Breaker, originally designed to make easier the work of law enforcement agencies. The main function of this software is to download backups from the victim’s iCloud accounts, although attackers must have his access credentials to be able to do it.


Thursday, September 4, 2014

If cyber threats don't sleep, neither do you?

Italian writer Antonio Tabucchi said he prefered “insomnia to anaesthesia.” It was like saying he preferred to remain constantly alert to "being in the clouds." In an ideal world we do not have to choose between these two extremes. But today there are so many things that can cause us to lose so much sleep...


For instance, data breaches. It is very likely that the cybersecurity team at DIY retailer Home Depot was unable to sleep a wink since blogger Brian Krebs uncovered evidence suggesting that cybercriminals had managed to steal information from its customers’ credit cards at nearly all of Home Depot's 2,200 stores in the U.S. The company still has not confirmed such event so far, but it is investigating it. Finally, if it were true, it could represent the biggest breach in history.


Wednesday, September 3, 2014

Cyber Butterfly Effect

"A butterfly can flap its wings in Peking and in Central Park you get rain instead of sunshine". Almost anyone recognizes this quote in the 'Jurassic Park' film. It is the essence of the Butterfly Effect, that summarizes the Chaos Theory, says the mathematician Ian Malcolm in his first tour to the dinosaurs recreational park. The chaos is present every day in our security. First things first ...



The Institute for National Security Studies (INSS) and Cybersecurity Forum Initiative (CSFI) have published a comprehensive report on threats to national security in the context of cyberspace, which runs from cyberattacks on American banks to targeted attacks from Russia to Western Europe, through Machete, the last cyber espionage campaign whipping Ecuador. Real chaos at global level. Tripwire offers us a valuable executive summary of the report on its blog.


Tuesday, September 2, 2014

Infosec's Farabutto

Raise your hand who knows who are Guido & Luigi Farabutto. Nope. They are nor two italian researchers, neither two grandson of immigrants argentinian hackers. Let us give you some clues during next paragraphs. How long will it take you to guess it? ;-)

Clue number one: Farabutto bros are too much related with most "celeb" leak lately, the nude celebrities photos leak after an iCloud security breach. Scandal is so huge that Twitter is deleting profiles tweeting these pictures, and FBI itself is working on the "w" of this shocking leak: who, what, how...


Monday, September 1, 2014

Cyber nude

Eye, very careful with the photos you share on your phone, would be the corollary of the day.


The popular forum 4Chan again grab the eyes of society as the place chosen to dump the alleged nude photos of famous likes Jennifer Lawrence and Kate Upton, along with a long list of names who have allegedly also been hacked. All indications are that the attack was carried out against iCloud accounts associated with these terminals iPhone users, keeping, among other things, backups of content that once had the phone.