Sunday, November 30, 2014

Top 5 Infosec links of the week (LIV)

Would you leave your life in the hands of a computer? The answer at first sight is a big No! But if we approach a magnifying glass, we'd see a concept that's becoming harder, called Internet of things, and if we focus further, we'll see that, among these things, there are cars, computers on wheels today. The dangers of driverless car have been what most interested our readers this week.

They call them autonomous cars and manufacturers promise next year there will be driverless cars in Britain, something that has astonished the Institute of Engineering and Technology at that country, who warns that 98% of applications that run on these vehicles have serious defects that could lead even an attacker to take remote control.

Saturday, November 29, 2014

Smart hacker vs fool hacker

In hacker community's jargon there are many adjectives that apply to who knows much: elite, guru, samurai ... At the other extreme is the lamer, somebody who neither hears nor wants to know, who prefers to copy the work of others than get to learn. At first it may be difficult to distinguish between them, especially when the swashbuckling lamer often appears to be elite and beyond. Just give it time and, like so many things in this life, for their actions you’ll know them.

They’re black hat hackers, yes, but elite after all, the authors of the latest known attack against a large Fortune 500 corporation: to steal company data, they hid it in videos uploaded to a cloud service. This was achieved using a technique called steganography, which allows to inject information into an image or film undetectable to the eye, and since what has been seen, to intrusion detection systems too.

Friday, November 28, 2014

APTs spearheading new cyberwar

"If we were able to develop samples that were not detected by these tools without actually having access to any of the tested products during the development phase, then resourceful attackers who may be able to buy these products will also be able to develop similar samples, or even better ones."

This is the conclusion reached by one of the researchers behind BAB0, which is a malware created to test attack detection systems across security industry. BAB0 is just an APT taking advantage of techniques such as steganography (hiding code on images) to infect the victim, and may thereafter monitor traffic and break operating system sandboxes.

Thursday, November 27, 2014

Fiction inspired by digital reality

What does it inspire a person to create a novel, a movie or a comic book? It is usually life itself, which is rich enough to produce the best comedies or the darkest horror stories.

Imagine for a moment that the protagonist of this story discovered by chance that someone has been spying on him for a long time. Perhaps this surveillance has been carried out by a Big Brother, like in The Truman Show (1998) or by technology itself, as we saw in the Person of Interest series (2011). But the seed is exactly the same. Every month some spyware is discovered (sometimes by chance). This is the case of a new variant of Remote Control System (RCS) spyware developed by Italian company Hacking Team.

Wednesday, November 26, 2014

Security manuals for all tastes

Nowadays written manuals are something usual, but its history began just two centuries ago, when the evolution of scientific doctrine influenced the democratization of epistolary genre (letters) as a tool for indoctrination.

Thanks to the Internet, the concept of manual has blurred, since it can come out  on different formats now. Ranging from video-tutorials to infographics or articles on both social networks and blogs. This post is an example of it. You may want to keep it on your bookmarks, as it collects several of these manuals to learn and to master new technologies in a secure way. Let's start.

Tuesday, November 25, 2014

The burning of witches in the digital world

In classical mythology, witches were human beings with the ability to transform themselves into animals, devour souls and transform physical laws at will. It is not until 1400 when the Church accepts the presence of witches into its bosom. They were considered women who had reached an agreement with the Devil, and therefore fire was required to purify their spirit. The burning of witches was used for centuries to solve family troubles, helping to keep the retrograde belief that women were inferior and sinful.

The burning of witches has evolved over time becoming more subtle. Now the target of the fire is users or companies. For example, Sony Pictures suffered an attack yesterday. Its network was hacked what may lead to the future publication of confidential data. Movie teasers, for instance? Perhaps contracts or agreements of the film industry? We'll see what happens in the coming days.

Monday, November 24, 2014

Recipe for a healthy life in the digital world

The recipe format has been used in many areas. Gastronomy, chemistry, biology, physics... However, in computer science has not so much. At the CIGTR we like challenges so will introduce you a method of preparing a contest of digital data exhibition.

The first thing you need is two-thirds of common sense, which you will shake on our social profiles and devices in order to avoid exposing your personal data. Take at least five minutes a day to upgrade your system against Trojans like Regin. It has been messing in cyberspace since 2008. This Trojan is divided into 5 layers, each of them more sophisticated than the previous one. Its recipe was allegedly baked into some government’s oven.

Sunday, November 23, 2014

Top 5 Infosec links of the week (LIII)

Stats, brainy reports and daily observation say that:  most people online do not care to make their personal information public. Corroborates it the passion they put on entering data in social networks about their tastes, schools where they studied or pictures of their family. This data, in the hands of the right person, can become highly sensitive and be used for various scams. But ... ah! when information in danger refers to their money, things change.

Indeed, what has most worried our readers this week has been the stealing of financial information from 2.7 million customers of international bank in Hong Kong and Shanghai: names, card numbers, expiration dates and associated account numbers have been filtered. Luckily, the bank has been honest and informed customers of the problem.

Saturday, November 22, 2014

Can law save the unicorn?

We sometimes refer to current situation of security on the Internet as the Old West, but now we rectify: It’s an epic struggle where the bad guys are getting more and more clever. The forces of Good, however, act uncoordinated, sometimes even tripping up each other. We’re improving education about computer security, there are more and better programs for our protection, law enforcement agencies are up to date in this field ... But that's not enough to stop the plague. Now it’s togas’ turn: legions of judges and lawyers join the battle.

It’s this weekend big news: a Russian server showing thousands of links to IP cameras connected to the Internet. Their weak access passwords (admin, 1234) have made them easily hacked. Almost 400 of them are from Spain, showing parking places, shops or... babies!. Such oversight can only be explained by the lack of information security culture in the street, especially on devices that do not appear to pose a danger.

Friday, November 21, 2014

The suitcase of a digital spy

When James Bond needed technological tools, he went to hidden laboratories where they provided him with latest spy developments. A recorder clock, a ring with poison, or a bombproof car which was also useful to "show off" towards females.

Spies in the 21th century have at their disposal similar tools, but this time these tools are digital. They make their work easiera and force them to keep themselves contiously learning. As James Bond, they must also put them in their suitcase.

Thursday, November 20, 2014

"The Prancing Pony" and the reality of digital security and privacy

“I amar prestar aen (the world is changing), han mathon ne nen (I feel it in the water), han mathon ne chae (I feel it in the earth), a han noston ned gwilith (I smell it in the air)”. The The Lord of the Rings film trilogy, an adaptation of Tolkien's most famous novel, started this way, in Elvish. This story reflects how thousands of small accidents make up an ever-changing reality.

Some years ago, the digital world was very different. Its risk was about the same, but there was no awareness of it. Users saw the Internet as a window to a world of fantasy and black hat hackers were devoted to less hazardous duties.

Wednesday, November 19, 2014

Security on the Internet, both on your closest environment and outside

Sometimes we focus on people who are outside our closer circles and forget about the ones who are nearer to us. Cybercriminals know that and take advantage of it to draw the victim’s attention to a misleading direction.

If you need to keep conversations private using an anonymous communication channel like Tor, cybercriminals will make you think that such system is impregnable, so you trust on it and deploy some of your services taking advantage of the alleged anonymity of such network. When suspicion surfaces, they will monitor all traffic going through most of its nodes. In fact, the kingdom of Tor is not as anonymous as you could thought, according to a paper recently released: 81% of daily traffic is not anonymous.

Tuesday, November 18, 2014

Four plus two is not always six, or at least it shouldn’t be

If you ask a mathematician how much is four plus two, he will tell you that it equals six. Exactly 6. It belongs to integers with no fractions or decimals. But if you have an engineer in front of you, it gets a bit tricky. He will probably tell you that he is missing some data. Indeed it is not the same four kilograms plus 2 grams than vice versa.

Now, when it comes to information security, fractions, decimals, variables or elements are not insteresting. What it is truly interesting is the value that can be derived from such summation. So if the CIGTR tells you four recent attacks and two recommendations to foster debate, what do you think will be its outcome? Let's see.

Monday, November 17, 2014

Misuse of the Internet: Cyberbullying, theft and lack of privacy

“To say that I'd do worse things than rape is utterly appalling, it's disgusting.” Isabella Sorley, 24, showed how deeply sorry she was for all the harm she had done, on an interview for the BBC in the UK.

Isabella is one of the many other faces hidden behind an Internet troll. With this interview the BBC was trying to clarify what goes through an apparently normal person’s mind to become a monster on social networks. Trolling is one of the most harmful and difficult to control peculiarities of the Internet.

Sunday, November 16, 2014

Top 5 Infosec links of the week (LII)

What is Net neutrality? According to Wikipedia, "freedom of restrictions on the kinds of equipment that can be used on the Internet and modes of communication allowed, without restricting the content, sites and platforms and where communication is not unreasonably degraded by other communication". Most read news of this week is about Net neutrality: President of the United States’, Barack Obama, position about it.

Obama’s position was not so clear in the past, since it’s a lot of years that large companies that provide accessibility and services on the Internet face this issue: breaking neutrality means that the highest bidder will see its traffic prioritized against other, something that Obama is against, as he said to the US Federal Communications Commission.

Saturday, November 15, 2014

I spy, You spy, He spies and WhatsApp makes it optional

It's the big complaint online: "We do not have privacy, we are spied everywere". We're in a tricky territory, where nobody has yet clear limits. Data is now big, big business and people love services that are free, in exchange of their information. They don't know, or don't want to know, that less privacy is less security.

But, sometimes, we recognize the danger and react. This has been the case with WhatsApps’ blue doble check: it was activated last week, to tell the emissary of a message that the recipient has read it. After an avalanche of complaints and reports that some cybercriminals were using it for their misdeeds, yesterday WhatsApp launched a new version, 2.11.444, which allows to disable this option.

Friday, November 14, 2014

Caution, a mandatory in the digital world

The story of spy Roberto Flórez was the most highly talked about topic in Madrid at its time. This man made counter-espionage work for the Russians for several years, with some surprising movements. In this sense, he was not the most cautious person. He repeatedly offered his services at the door of the Russian Embassy in Madrid. This, added to the fact that he systematically kept all receipts and invoices from his work, led to find him guilty of all charges presented at court.

However for others it is mandatory to be cautious. For such purpose, some technologies provide anonymous communication services. At least, all anonymity you can expect from a digital system. The Tor network is one of the most common tools used by those interested in privacy. Perhaps this is the reason why this network it is continuously targeted by strategies aimed at violating its architecture. OnionDuke is one of them. It modifies binary communications using a fraudulent Russian node. If you have the misfortune of exiting through this node, my friend, your communications are no longer secure.

Thursday, November 13, 2014

Happy endings in the digital world

“They lived happily ever after.” Many of children's stories ends with this words. But in Spanish they have another end line that literally translated says “they lived happily and ate partridges.” Actually partridges have several positive connotations as a gastronomic delicacy. In the Middle Ages, only wealthy people could eat partridges. Thus, it implied that the characters would have enjoyed a full life, both at emotional and socio-economic levels. The story ended in a good way, and left you a good taste in your mouth.

However real world is not so simple. Life is a collection of experiences, some of them are positive and some negative. Depending on how you confront them you can consider yourself successful or not. Nevertheless some other stories have a clearly happy ending. Onymous was a joint operation by Spanish Guardia Civil along with Eurojust and the New York Office that has ended up with 17 people associated with clandestine activities in the Deep Web in court. In addition, they have managed o close up to 410 services hosted on the TOR network.

Wednesday, November 12, 2014

Net neutrality: Controversy is under way

Obama's statement in support of Net Neutrality was the most highlighted topic yesterday. Given its impact, it is relevant to go into detail in order to resolve some questions about the meaning and connotations of a hypothetical Internet running at different speeds.

Net Neutrality is defined as a principle that establishes that all traffic flowing through a network (in this case, the Internet) should be treated equally, regardless of its content and origin. If this principle is broken down, it could lead to a situation where the data of a video had preference against a text, or a specific media website with high volume of users gained priority over other sites.

Tuesday, November 11, 2014

Keeping Internet open, free and well protected

“More than any other invention of our time, the Internet has unlocked possibilities we could just barely imagine a generation ago. And here's a big reason we've seen such incredible growth and innovation: Most Internet providers have treated Internet traffic equally. That's a principle known as ‘net neutrality’".

With these words, Obama has positioned himself as a defender of a free and open Internet for all. He asked the FCC to ensure its future, thus turning back on companies interested in breaking Net Neutrality. Giving up on those companies wishes would have allowed large enterprises as Google or Amazon to make an unequal distribution of bandwidth according to their purposes, which would have meant a detriment for other services with no so many resources.

Monday, November 10, 2014

All about Phishing: As simple as dangerous

Saturday morning. You nicely get up, aware that you don’t have to work today, and walk along the few meters from the hall to the kitchen to make breakfast. While the milk is heating, you decide to check your email and you find something that you definetly did not expect.

Apple writes you to let you know that you have correctly proceeded to change your recovery email address to an email address that you do not know. If you did not do it, you have the option to verify it. Of course, you click on it, fill up the form with your data, and cancel the change. Wait! Have you checked the domain from which the email was sent? Have you made sure that the website you are visiting has a valid CA certificate?

Sunday, November 9, 2014

Top 5 infosec links of the week (LI)

Personalized attacks. Invisible and persistent, targeting very specific people, usually well protected within a company or organization. Delicate operations of industrial espionage and cyber war, asking the attacker to display all the handicraft of hacking. Attacks that arrived with the new millennium and are here to stay, one of the most striking aspects of information (in)security, also to our readers this week.

Overwhelmingly, the most read top news this week has been an excellent chronicle by Roberto Amado, showing that it is possible to make an Advanced Persistent Threat (APT) attack against a person or organization, using robots from sites like Facebook and Google. These sites act as a bridge of communications between the attacker and the attacked, pretending to the eyes of the attacked and who protects him that the attacker inputs and outputs are innocent visits to and from social networks.

Saturday, November 8, 2014

Raid in Tor and more good news

The news has spread like wildfire in the last 48 hours: An FBI agent infiltrated the staff of one of the most famous markets selling drugs, guns, pornography and other illegal goods in the Tor network. Such boldness shows the high level reached by the US security forces in the network, able to get into the mouth of the wolf to stop arresting him. Today, perhaps because it’s Saturday, we only see good news on the environment: cops catching the bad guys, a powerful Spanish hacker community and airlines companies, finally securizing their communications. Come on.

Security experts are still with open mouth: an FBI agent was able to gain the confidence of the 26 year old Blake Benthall, current owner of Silk Road, the most famous black market in the Tor network. Benthall and his team managed a site with 150,000 users and profits of $ 8 million per month, according to the FBI. The agent collected enough information that in the past 48 hours have arrested 17 people and closed various Tor markets, including Silk Road but also Pandora, Blue Sky, Hyrda, Executive Outcomes, Fake ID and Cloud Nine. Wow!

Friday, November 7, 2014

Methodologies for exploiting vulnerabilities that never go out of style

On June 25, 2012, Apple slightly changed OS X’s official website. It switched out a statement that claimed "immune to PC viruses" for "designed to be safe." It was a battle creating controversy for years, and it was one of the main factors that encourage the myth that Apple devices were immune to attacks.

WireLurker, a new family of malware discovered by Palo Alto Networks, try to take advantage of general disinformation. It attacks iOS and OS X devices in the traditional way (fraudulent apps, links to malware downloads, faulty extensions used when visiting a website, connecting to a compromised device via USB...), and is able to install applications bypassing Apple’s sandbox (even on not jailbroken iOS devices, for example).

Thursday, November 6, 2014

The importance of secure communications

Our society is based on communication. We are social beings, we depend on each other to survive. The way we strengthened our weaknesses to confront dangers was undoubtedly evolve our communication system, which is neither the most efficient nor the most complex in the animal world, but it is the most adaptive one.

The control of media is one of the guarantees wished by every single company or government. This gives them control over the discourse, and thus the ability to redirect it to their interests. It is a fact that Facebook makes experiments on our Facebook walls and profiles. Such experiments increased the level of political commitment of Facebook users by 3%, prior the US presidential election of 2012, prioritizing discussions related to the two candidates for the presidency. Don’t you think such experiments are on the ethical and moral bounds?

Wednesday, November 5, 2014

The success of computer security and the music industry

A cold day in January 1956, Elvis stepped into the recording studio convinced of giving birth to his new single "Hearbreak Hotel". RCA Victor, the recording company which was working with the singer, had not given its approval, but producer Steve Sholes decided to "trust" Elvis and record it anyway. "Heartbreak Hotel" was number 1 in several top song lists at the moment. 50 years later, thanks to its remastered version, re-monopolize the charts and entered in the exclusive Grammy’s Hall of Fame.

In the computer security world there are other "greatest hits" that never go out of style. Emil Kvarnhammar is the computing artist who challenged Apple with Rootpipe, a new vulnerability that allows to escalate privileges to administrator one. After talking with the company, he published a video where you can see how he launches the exploit, but he will wait for Cupertino to patch it until early next year, before explaining how to take advantage of it.

Tuesday, November 4, 2014

Benefits and dangers of digital roads

The expression "all roads lead to Rome" comes from the time of the Roman Empire, which managed to build more than 400 routes to communicate its capital, Rome, with outlying provinces. That world which did not have a global communication infrastructure could enjoy one in a few decades, forever changing the future of society.

Centuries later, we are living a similar situation regarding new technologies. Roads are digital now, but they converge at each of us, for better or for worse. Those legions would be represented now by those algorithms and systems that allow us to find at the right time what we are looking for. One example is Android’s new version, Android Lollipop, which has improved in terms of security.

Monday, November 3, 2014

The hackers who ate Cap’n Crunch

In the early 70s, John Draper discovered by chance (thanks to a blind friend) that the whistle given in the Cap'n Crunch cereal boxes emitted a sound with the same wavelength than AT & T’s routing system. This allowed John Draper access to the system in operator mode and perform various actions, including making free calls. These homemade experiments helped knowledge be democratized, and boosted the development of our current telephone system.

Something similar to what we are experiencing today with the release of several Hacking Team’s product guides, a renowned Italian company for government spying. Several tutorials explain what techniques they used, how to exploit vulnerabilities (called 0-Days at the time) and the software’s possibilities for scaling privileges while going unnoticed by most antivirus firms.

Sunday, November 2, 2014

Top 5 Infosec links of the week (L)

They scare. They’re sooooo scary. They are the number one concern of most people who use computers. But, strangely, on Halloween we have not seen anyone dressed as computer virus! Maybe because they have no face or body to mimic and make a mask, they’re invisible, but the mere mention of them causes concern between people. This week's most viewed links are related to computer viruses, more appropriately called by experts malware.

It’s not a trivial fear: PandaLabs this week presented its report for the third quarter, which highlights the increasing creation of malicious code by 38%, one point higher than the previous quarter. The phenomenon is completely shot and out of control, being the most common infections by Trojans (78%), the most damaging malware precisely because they stay quietly on your computer, making the rounds.

Saturday, November 1, 2014

Walking with pirates

Rum Rum, the bottle of rum. The fiercest pirates of all the Seas are turning in their graves, since the Real Academia de la Lengua Española has decided to turn "hacker" synonymous with "computer pirate" . This theme is now trending topic in the Spanish community of security experts who overwhelmingly reject it. But there was a time, when computer revolution started, that hackers considered an honor to be computer pirates .

It was when hackers, mostly teenagers, had for the most funny game to break copy protections in videogames and programs, and called them pirated software. Then some of those hackers grew and continued devoting to it, this time distributing movies and music. So they called their main vessel The Pirate Bay, the largest database in the world of pirated culture and also the most persecuted by the authorities. Yesterday, one of its founders, Gottfrid Svartholm Warg, alias Anakata, was sentenced to 3½ years in prison, but not because of Pirate Bay, but for getting into the computers of a Danish company and stealing data.