Friday, October 31, 2014

The chaos theory applied to information management

According to chaos theory, any change on a chaotic system could be amplified to the limit. Mathematician Edward Lorenz accidentally came to this conclusion when tired of waiting for his computer to calculate the result of climate change for a specific date considering several initial factors wrote down on a paper the final result and went for a coffee. Nevertheless, after two months simulation, the machine threw a different result from his. But no one of them was correct.

This paradox is commonly called the butterfly effect. CIGTR’s article today is precisely about the butterfly effect. For example, Pew Research says that we will be hit at least by one large-scale cyber attack by 2025. Increased connectivity, democratization, citizens’ digital exposure  and interest shown by governments on cyberwar are among its factors.

Thursday, October 30, 2014

We are what we are, because of what we have been

"In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network. We took immediate measures to evaluate and mitigate the activity... Unfortunately, some of that resulted in the disruption of regular services to users." This was said by one White House official, but those could be words from most server administrators at most organizations targeted by cybercriminals.

Yes, the White House has been victim of an attack. In fact, it has been victim of a lot of them, but it seems that this one managed to get a bit deeper than usual. The intrusion was discovered two weeks ago, but it was not communicated until today, when appropriate steps have been taken. Among possible responsibles for the attacks, Russian government has been pointed out, but without hard evidence, we will not be the ones throwing the first stone.

Wednesday, October 29, 2014

Bad people last longer

There is a popular saying: "Bad people last longer." This is an individual or group who is always hanging around, offering a negative reading on everything they touch, and on top it, there is no way to get rid of them.

Something similar happens with many cyber evils. Phishing is an example of it. It exists since the neccesary tools are available, and keeps making headlines since then. Fidelity National Financial has been hit by recent phishing campaigns on various of its workers. Cybercriminals gained an unknown number of account numbers and personal information.

Tuesday, October 28, 2014

The digital unwritten law of "just in case"

“Just in case" is trending topic in the digital world, as it was (and still is) in most aspects of your life. There are things you are not very keen on doing, but you do it anyway... "just in case". Nobody escapes from the "just in case" thought. Every business, every family and even the security industry have it always on mind.

We all know that Apple computers do not have malware, right? They must be bombproof, apparently. But "just in case", you should install a monitor tool to find out what services are loading when your Mac is booting. Who knows! Perhaps that statement is not really true.

Monday, October 27, 2014

Pursuing digital peace

Today 28 years ago, on October 27th in 1986, one of the largest religious in history was held in Assisi (Italy). Not only Christians but representatives of nearly all existing religions made a claim for world peace from this small town.

To arrange such a titanic meeting certainly was not something trivial. By that time, the Internet was only a project between a few universities, and most of us still contacted each other by telephone or mail.

Sunday, October 26, 2014

Top 5 infosec links of the week (XLIX)

What's scarier for users: to have virus on their computers or somebody stealing data or money from them? Judging by the most read links this week on CIGTR, both fears go together. Perhaps because often one follows the other and, indeed, Virus-Trojan that has plagued us is dedicated to sending our information to the bad boys or, worse, point us to paid services without our knowledge.
This week we’ve learned that in Spain there are over 17 million Internet users whose computers are in danger of becoming zombies. It's as simple as visiting an infected website and bam! the virus surreptitiously introduces himself into the visitors’ computers.  "Botnets are currently the biggest concern at the level of cybersecurity for the Spanish citizen" , said the general director of the National Institute of Communication Technologies (INTECO), Miguel Rego, in presenting his plan to combat them.

Saturday, October 25, 2014

The perfect definition of IT risk

Wikipedia defines risk as the potential vulnerability to harm or damage to the units, individuals, organizations or entities. The Spanish Royal Academy of Language speaks of risk as that contingency or proximity of damage.

Either can be applied to IT risk, a daughter discipline of security governance which keeps our society stands. Both Heartbleed, such as Shellshock and POODLE are examples of vulnerabilities that have jeopardized our computer systems. And all were this year, which could lead to think that 2014 is somehow the most prolific in history for the emergence of critical security flaws date. The truth is that it does not, and indeed when compared with previous years, has significantly reduced the number. The change, therefore, comes from a redefinition of how to communicate a security breach, which has grown from one to more humane, more commercial, that past technical name (CVE-2014-4148, for example) and in turn pass with malware. That small change in philosophy, coupled with increased user interest about digital dangers.

Friday, October 24, 2014

PHISHING, in capital letters

PHISHING. Neither fising, nor phishing or fishing. Note the capital letters. This will be the topic today for the daily CIGTR’s article. PHISHING is the order of the day. In fact, it is the Trojan Horse of many cyberattacks. Are you ready? Let's start.

Three out of five Spaniards are hit by some kind of digital attack, but only one of them is aware of what is happening. This would be the summary of the "Study on Cybersecurity and Trust in Spanish households" conducted by both ONTSI and INTECO in the framework of the Digital Agency for Spain and the Trust on Digital Environment Plan. These attacks come from different channels (WIFI insecure networks, social engineering, email...) and are usually aimed to gather information to impersonate the user in banking services and social networks.

Thursday, October 23, 2014

Digital pessimism is almost as dangerous as cybercrime

"Hope is a denial of reality, it is the carrot stirred in front of the workhorse to make it move forward, struggling in vain to reach it". It is also said that "The pessimist is a well informed optimist". In this sense, the way we face life is far from being the most profitable one, even more if we think of today’s technology hardships.

Perhaps in the infosec field it is usual that pessimism is passed on to others. If HP and the Ponemon Institute launched the Cost of Cyber Crime Report 2014, and you find out that bad boys have caused losses of $ 12.7 million in the United States alone, which is 96% higher than the previous year, it is normal that it ends up affecting to you.

Wednesday, October 22, 2014

A story about Androids

Albertus Magnus was a prolific priest in the thirteenth century, which cultivate theology, philosophy, geology, chemistry, astrology, engineering and even though he probably never knew. It is said that he shared a house with a talking head and a manufactured device that was able to move by itself. The first android known in history. It was recovered by the writer Auguste Villiers on his book “L'Ève future”, and it would eventually become common in our society.

The Android mobile operating system monopolizes the market, and has every chance to do the same in the IoT and gadgets ones. Nevertheless this attracts bad boys, as evidenced by a recent study by Kaspersky Lab and INTERPOL following the malware research they both carried out between August 2013 and July 2014. 60% of malware targeting mobile devices is aimed to financial theft, either by stealing bank credentials, either by sending premium SMS, either by extortion.

Tuesday, October 21, 2014

Remedies for digital evils

Sir Francis Bacon, to whom we owe the principles of the scientific method (among other things), was a renowned philosopher and politician in his era, and left many lessons to be considered by future generations. Among all of them, we echo one that it is so natural that it could have been written even this morning: "He that will not apply new remedies must expect new evils; for time is the greatest innovator."

Remedies are the order of the day. But they do not always work in favor. The Chinese government decided to redirect all traffic heading iCloud or Microsoft’s services through their network to a fake website in order to perform a man-in-the-middle attack. This way it can obtain users’ access credentials without their consent.

Monday, October 20, 2014

Resources of a digital survivor

“When there's no more room in hell, the dead will walk the Earth.” These words are said at one of the key scenes of the “Dawn of the Dead” remake, a film of worship for all lovers of zombie genre.

You may wonder why the CIGTR starts its articule with something so trivial. The answer is simple. Truth is sometimes stranger than fiction. The zombie world had its new golden age in cinema under the paradigm of a society overwhelmed by too much information, the TV and the government control. Meanwhile in the third environment we see how everyday zombie hordes or deadly viruses attack where they hurt, on our digital life.

Sunday, October 19, 2014

Top 5 infosec links of the week (XLVIII)

How much are 25 years? Is it too much or not? Sometimes they seem eternal, as the 25 years elapsed to complete the dome of the cathedral of Florence (Italy), after 130 years of construction. Or the 25 years since the Kepler mission was designed to observe exoplanets, until it was launched. It's been 25 years since 1989, the year when Bush was sworn in as President of the USA ... but Bush Sr., not Bush Jr. Yes, as the saying goes, "a lot of water under the bridge".

If 20 years Gardel's Tango was nothing, 25 years in computing is a life in full. So they are visionaries those who wrote books that still get to be a included in a recommended reading list, as the one compiled this week by Maite Moreno on Security Art Work, one of the most read articles in recent days and perfect to start this Sunday's compilation of the most important news of the week. The 25 year old book is The cuckoo's egg by Clifford Stoll, and it is all along in this post with newer titles such as Epic Hacker by Alejandro Ramos and Rodrigo Yepes, published in 2012.

Saturday, October 18, 2014

Mountain View, we've got a problem

"Houston, we've got a problem". This sentence from the crew of Apollo XIII is an icon of popular culture. With very little time to react, and under great pressure, the engineers had to find a way to join a cube-shaped containers with cylindrical entries, and they could only do it with the materials that were in the ship itself. Thanks to this solution, and several additional measures, those astronauts survived almost certain death.

When researchers at Google found this week the vulnerability dubbed Poodle, they lived a similar situation. "Mountain View, we've got a problem". If you have the capacity to go into one device to downgrade and invalidate the SSL protocol, someone should look almost as ingenious solutions as those Apollo XIII engineers did. Cupertino have decided to win this medal, and its brand new version of its iOS operating system, Yosemite, has achieved to patch this vulnerability. This has caused admiration in the industry, since there have been, if not hours, between vulnerability spread and the built-in patch after months of "cooking" Yosemite.

Friday, October 17, 2014

It is for your safety

“It is for your own good”, “It is the least bad option we must go through to ensure effective fight against terrorism", " We should not fear it, because we have nothing to hide." Some of these phrases may sound familiar to you. They are arguments employed by governments (in behalf of intelligence agencies) calling for calm over control of personal information in digital media. And there is no doubt that its prime aim is exactly the same as the one pursued by citizens. Nevertheless successful campaigns should find the balance between privacy and absolute centralization of information.

The FBI is making headlines again due to the words of its director, James B. Corney, who has launched a statement to responded accusations made by Edward Snowden earlier this week. “Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority,” Comey said translating the Agency’s concern regarding tech companies’ movements towards the privacy of its users.

Thursday, October 16, 2014

Carelessness can be costly

“Carelessness can be costly”, ranging from that person who leaves his dog boiling into the car under summer heat to go shopping to those pedestrians who cross the street without previously looking to both sides. Carelessness is very common, and unfortunately sometimes has to be more than paid.

This happened recently due to POODLE, a vulnerability on secure communication protocol since 15 years ago. Do we still use it because there is no alternative? Nothing is further from reality. Carelessly allowing backward compatibility to older versions in current ones leads to a situation where secure communication could be interfered and heard.

Wednesday, October 15, 2014

No matter how invincible they may seem, in the end, they always fall

It is said that Gandhi was not a good student when he was young. He hardly passed the entrance examination to the University of Bombay. He eventually ended up taking his law studies in London. It was in South Africa where he discovered his true calling when he witnessed how people lived in that country. Thereafter, he found a way to hack the system, which led to the independence of India and the integration of the poorest people within society. His life is a reflection of constant war against injustice and exploitation, which was wisely introduced in one of his many speeches: "When I despair, I remember that all through history the ways of truth and love have always won. There have been tyrants, and murderers, and for a time they can seem invincible, but in the end they always fall."

They fall both, good and bad people. Today’s top headline is undoubtedly the discovery made by researchers at Google of a vulnerability on SSL v3.0 protocol, which could allow attackers to downgrade client’s version to this one, typically by injecting javascript, and then skip it. The attack would have to be carried out along with a man in the middle attack in order to steal data successfully. Nevertheless the importance of this vulnerability is that HTTPs encryption based on SSL is eliminated. This situation will hopefully boost the adoption of TLS and make this standard to be abandoned (after 15 years).

Tuesday, October 14, 2014

As if it were a novel

"No Place to Hide" is the latest book by Glenn Greenwald. It exposes NSA’s surveillance tactics supported on Snowden’s revelations. Yesterday by chance we brought to you an interview to this former NSA consultant where he reported on the dangers of services commonly used like Dropbox. And today such cloud service is on the spotlight again.

Dropbox has been hacked. Well, actually it seems that the problem does not come directly from the company itself, but from users who use the same password for multiple services. Pastebin and Reddit are a boiling pot due to ongoing publication of emails and passwords by cybercriminals who claim to have up to 7 million accounts.

Monday, October 13, 2014

Freedom is slavery

Winston Smith, one of the employees at the Ministry of Truth in charge of rewriting history every day,  comes to a conclusion that horrifies  and calms him at the same time, ‘How could you have a slogan like “freedom is slavery” when the concept of freedom has been abolished? The whole climate of thought will be different. In fact there will be no thought, as we understand it now. Orthodoxy means not thinking — not needing to think. Orthodoxy is unconsciousness.’

This passage from the famous novel by George Orwell, ‘1984’, outlines a dystopian world consumed by a cold war between three superpowers. It is always related from the point of view of Oceania, which is led by Ingsoc and the Big Brother. For those concerned about privacy, this book is a true image of what a enslaved modern society could become. Recently The New Yorker Festival interviewed Edward Snowden. The video of such interview accompanies this article and should be an essential reference for you as well. On it Snowden attacks poor privacy provided by cloud services like DropBox, Google or Facebook, and highlights the important role of encryption in all digital communications.

Sunday, October 12, 2014

Top 5 infosec links of the week (XLVII)

Let's draw an unwritten law of Murphy for security issues, and let's summarized as it follows: if something can be broken, there will always be someone who will end up breaking it; but if not, surely, too. Once upon an innocent time maybe there was some pirate epic in breaking codes and systems; in any case, today we've got very little from that epic because almost all is business.

The five top issues this week have to do precisely with more or less dark intentions characters, that have managed to break something because he could break it. Because that "something" was waiting for someone smart enough, or sufficiently well paid, to penetrate where he is not expected. It is the case of the sinister character able to develop a third party app for Snapchat, convince people enough for using it, steal all the ephemeral data shared by the network, and drop them to 4Chan in huge amounts of compromising information.

Saturday, October 11, 2014

Cyberwar of Ammendments

One of the most famous journalists in the United States, Bob Woodward, once said, following a book on conspiracies that put into question the Watergate investigation, "as a believer in the First Amendment, I believe they have more than a right to air their views". It is considered that the First Amendment is the pass for almost everything, and that is why it is inviolable: it is forbidden to legislate in any manner that would alter the freedom of expression.

In fact, the publisher Larry Flynt is behind the somehow sarcastic comment that you do not need the First Amendment if you do not intend to offend anyone, which is like saying that if you do, be next to the parapet of the First Amendment. That is precisely what has made Twitter, raising the tone above the conformity of other techs with the United States Government. The largest microblogging network sues its country Administration not to limit its transparency with users. Take the information you want, but let me tell users about your requests for information. And yes, it has brought out the First Amendment. That is like saying: "Don't try to fool me".

Friday, October 10, 2014

In love as in war…

Lots of quotes show how human being has been historically attached to military, such as Sun Tzu’s "All warfare is based on deception",  Joseph Stalin’s "The only real power comes out of a long rifle", or famous popular saying “All's fair in love and war”. Despite of we consider ourselves social beings, the desire for power and the imposition of a hierarchy based on goods makes us raise arms, spending resources to protect ourselves instead of spending them for the common good.

A war is being waged in cyberspace, a war with no boundaries. Some people are protecting their property while others try to steal it. In the middle, we usually found the user, who witnesses how some tools that were originally designed to safeguard his data end up being exploited in phishing campaigns. For instance, the notifications sent by iCloud to the owner’s account when someone else attempts to access its content. You better be very careful with what you get on your email inbox and always make sure that you access its official website before entering your credentials.

Thursday, October 9, 2014

Top four bank fraud techniques

Woody Allen said in one of his movies "If only God would give me some clear sign! Like making a large deposit in my name at a Swiss Bank." We don’t know if his prayers were ever answered, but we do have evidence that cybercriminal gangs share his pleas and make their way to wreak havoc on the financial system worldwide.

This week the Central European University launched an extensive study about the evolution of security breaches affecting European citizens’ privacy. 24% of attacks target United Kingdom, which is followed by Germany, Greece, the Netherlands and Norway. Major vectors for these attacks are the companies themselves, with 89% of historical records. Corporations, governments and organizations are a very attractive target for this dark market.

Wednesday, October 8, 2014

A good (economic) cape covers everything (even digital ethics)

It is hard to find another thing which has provoked such a deluge of letters as money. Benjamin Franklin said that "money never made a man happy yet, nor will it. The more a man has, the more he wants. Instead of filling a vacuum, it makes one." Voltaire also cared for our souls when he alerts "don't think money does everything or you are going to end up doing everything for money." And even the Castilian proverb "a good cape covers everything" warns us about it. The power of money lies on how it can change people, for better or worse.

In the digital world, we find arguments for both situations. For instance, bank fraud has evolved from operating in a very disorganized manner some years ago to being managed as a crime company nowadays. Outlets of stolen bank details apply techniques and certifications to boost buyer confidence, like any legal e-commerce operator. When you visit any of these websites, some of them accessible from anywhere on the  Internet, you realize you are not in front of a dark portal managed by crackers, but a company that takes cares of its customers.

Tuesday, October 7, 2014

Curiosities of such an insecure network

With a dose of reality and a bit of fantasy in some cases, the history is riddled with curiosities of the most diverse nature. For instance, the joke that fate played on a German woman who in 1914 took six pictures of her son on a film. Later she sent it to an acquaintance to be developed on paper, but she recovered two years later by chance, when she realized that I the film that she had just bought was actually hers. Or the fortuitous prophecy of Morgan Robertson, author of a novel about a ship called Titan that was not as "unsinkable" as he had expected. Moreover the temporal coincidences lived by Lincoln and Kennedy. The path is capricious, and  even more the human search for common ground.

Robert Graham made it clear on one of his last articles, attributing the name of Shellshock, the vulnerability that has shocked Internet in recent days, to Andreas Lindh, who tweeted the picture accompanying these lines by chance in the first few minutes of chaos, which is the logo of a ride at Nickelodeon Universe theme park. Its full name is Teenage Mutant Ninja Turtles Shell Shock.

Monday, October 6, 2014

The Coyote and Road Runner from cyberspace

In the mid 50s, young animator Chuck Jones created Wile E. Coyote and the Road Runner, a series of cartoons. It started as a parody, shortly after acquiring an unexpected success that allowed them to reach many of the Western countries, and even some in Asia. Wile E. Coyote used to patrol the desert of the southwestern United States, a common area for the Road Runner, the fastest bird, who enjoyed watching his nemesis failed once and over again. Over half a century later, what began as a simple hobby represents the antithesis of what is experienced in the cyberspace everyday.

One fact shows our concerns about being hunted by the Coyote: Over 21% of American citizens have never destroyed (both digital and physical) correspondence with private content (such as invoices or bank details). Moreover 45% of them use the same passwords for all services, and 49% have not changed their password in the last six months, according to the percentages recently published by AARP on the risk of becoming victim of identity theft.

Sunday, October 5, 2014

Top 5 infosec links of the week (XLVI)

– Windows is better than nothing...
– You are confused, iOS is better at all...
– Os equivocáis los dos, in fact they wish to be Android...
– Much of a muchness, but...

'Fanboys'. Unmistakable. Whatever they do, their brands are the best. But without security, as 'fanboy' as you want to be,  you will get nothing done.

When talking about security, it takes all sorts. At the beginning of the week Apple's power users were warned: everyone using virtual machine VMWare were at serious risk after Bashgate, Shellshock vulnerability case that has forced all manufacturers to launch security patches at full speed. Specifically, in Mac OS X the danger is an exploit that lets privilege escalation to execute code.

Saturday, October 4, 2014

'Shakespeare in hack'

What if evil was so widespread that doing evil was something disheartening? Sometimes it is appropriate to draw on the classics, like William Shakespaere, to try to understand the present. "If every day were a vacation, playing would grow as tedious as working" is claimed in the second scene of the first act of his 'Henry IV'

Maybe they are not writing the second part of Henry IV, but researchers at Akamai who have followed the exploits for the Shellshock vulnerability believe that criminals have lost much of the initial interest. In part, because the patches released block the most dangerous possibilities; and partly, too, because many 'amateurs' if not outright "idiots" (so says the text), have decided to exploit the vulnerability as fuzzy goals like opening remote CD players or play audio files who knows from where. It is "bored hackers" who in turn bore the real "hackers". However, the guys at Akamai warn that although interest falls apart, the threat will persist for months if not years, for example in the form of vector to zombie networks (botnets).

Friday, October 3, 2014

Direction towards your data security

“If you do not change direction, you may end up where you are heading.” This quote by Chinese philosopher Lao Tzu may seem a truism, but implies an important wake-up call: stop yourselves for a moment, think about the way that you are taking and make sure that you really want to get where it leads you.

While cybercriminals demonstrate everyday that they are confident in the direction that they are taking, many organizations which store and process users’ personal data should ask themselves whether they have chosen the right path to protect such information or not. In this sense, the US's largest bank, JP Morgan, has acknowledged that the massive cyberattack that it suffered earlier this year compromised names and addresses of 76 million private and seven million business customers in the USA. In addition, the science supplies company Flinn Scientific has notified its customers that their online store server was infected with malware. Data from all buyers between May and September, including credit cards’ information, could have been intercepted by the attackers.

Thursday, October 2, 2014

The time we need and we never have

They say about Muhammad, the "seal of the prophets", that he was a thoughtful man and usually spent part of his day practicing meditation. Thanks to it he have his first revelations, which led him unequivocally to the path of social awareness on the word of God. What would have happened to Muhammad in today’s civilization where time flies? "Do not spend time dreaming of the past and the future; Be prepared to live the present moment. "

For example, the moment that leads to a company like Trend Micro and one organization as important as the Interpol to work together for smaller world for cybercrime. The first of them will provide knowledge and technological expertise, and the seconds will supply the resources and experience to succeed in an environment not respectful with boundaries and authority.

Wednesday, October 1, 2014

The incentive of information society

"Incentive, stimulus, claim, appeal, stimulation, bonus, award..." All of them are synonyms for one of the main engines that keeps the gears of our society running. Those gears work together for the common good, or alone facing internal machinery, testing what is it made of. 

Google, a tech giant able to position itself as one of the most valuable companies in less than two decades of history, has such lesson very well learned, so it has increased its incentive program’s rewards for those auditors who find bugs in any of its tools, what allow Google to stay ready for whatever may come in a fast-evolving market and offer more guarantee of success at a much lower price.