Wednesday, December 31, 2014

Five infographics for more secure 2015

Whether it is the famous ball located on the roof of One Times Square in New York, the popular twelve grapes of luck in Madrid (Spain), the Italian lentils or the magic combination of sea and fireworks in Brazil, each culture has its own ritual to say goodbye to the year. At the CIGTR we are going to do it with infographics. There is no better way to close 2014 than making you think about security, before so much party and the bank holiday. Today more “a picture is worth a thousand words" more than ever.

They are not twelve grapes, but seven myths what you will find on the first infographics produced by Symantec. Seven myths about cybersecurity that are refuted by this security firm. If you want to keep yourself secured in 2015 buy a professional antivirus software. Free versions do not work. You may think you are so clever, but noticing if your device is infected is a task reserved for very few. These two are just two of the seven myths. To find out the rest, please look for the the link below this article.

Tuesday, December 30, 2014

Surveillance, cyber crime and censorship sign off 2014

"They cannot kill me, my country will react, it will send a letter." James Bond defended himself this way in Casino Royale, in relation to the alleged response that his government would take following his death. But Bond was a spy, and therefore he knew that if he had problems, he will be alone.

Spy movies were very popular in the 80’s and 90’s. Now they are back in fashion, although they are not just movies. The German chancellor has found out that it was being spied more than onceit has been spied. This time they did almost by chance thank to a smart antivirus software that detected a USB memory infected by Regin, which is a spyware linked with British intelligence and the US national security agency (at least in the beginning).

Monday, December 29, 2014

Identity theft techniques become more sophisticated

Hijacking or personal data theft is a clear trend that we will have to face more and more often. The techniques remain the same, but due to the digital crime industrialization and the fierce technological evolution, they are becoming more sophisticated.

Let’s imagine a scenario in which most services use fingerprint reading as identification method. In this environment, let’s imagine that a group like the Chaos Computer Club is able to obtain anyone’s fingerprints from some pictures of their hands from different angles. Actually this scenario is not a utopia, but reality. In one of his last lectures, these Germans showed how they obtained the ones of their defense minister, Ursula von der Leyen, thanks to some photos gathered from public sources.

Sunday, December 28, 2014

Top 10 Infosec links of the year

Definitely, four words have shocked our readers on this year: "Pictures of naked celebrities". Neither Heartbleed, nor Chameleon, nor end of Windows XP support, 2014 most read stories in this, yours humble, information service are referred to "Celebgate", the hack against Apple iCloud service, and subsequent theft and leak of famous' pictures. Even somebody tried to make and exhibition with some of them.
We didn't see, however, nude photos of male celebrities, demonstrating that black hats are men and heterosexual, and/or famous men don't take nude pictures of themselves. Anyway, 2014 has been the year when many users have become aware of their privacy, seeing how easy is to get data that reveals their lives and routines, as in the social network for athletes, Endomondo, which by default discloses its members routes. 

Saturday, December 27, 2014

Black clouds of insecurity over Internet

If we lived in "The Lord of the Rings" we would say that Sauron and his dark shadow cover practically entire Internet. Wherever we look at, the Black Riders roam freely, allowing themselves to threat the holiest things on the net, and the net itself. In front of so many orcs, created by mafias but also by black magicians working for governments, Community of the Net's fight seems a drop in an ocean of lava. If you allow us the pessimism, computer in-security is actually rampant and exceeds all predictions of science fiction and cyberpunk literature.
Just look at Lizard Squad group: after spending Christmas bombing Xbox Live and PS Network, now threaten to break down Tor network, created to ensure anonymity and unrelated with video games world. Tor's a goal too far away from old ways of Lizard Squad, whom seems that success has gone to its head. Another dodgy, Kim Dotcom, the Mega's millionaire owner, has also gotten into this bizarre story.

Friday, December 26, 2014

Security, privacy and cyber war: what it will come

2014 ends showing us two trends for next year. On the one hand, the increasing use of denial of service attacks. On the other, the assaults on citizen’s privacy in alleged attempts of fighting terrorism. We bring you four articles about some recent events, two for each subject.

The answer to the alleged attack to Sony Pictures by North Korea finally arrived. A massive DDoS attack shut down the whole North Korean Internet network for about 10 hours. The US is thought to be the attacker. It is still being gathering information, but it seems clear that there were innocent victims, as Spanish hosting provider Dinahosting whose DNS were targeted by such campaign for hosting a site related to the country's government on its servers.

Wednesday, December 24, 2014

Times change

A change process is the transformation suffered by a previous state into a new state. Until 1990, science understood change as an exception between two stages of stability. With the social and technological developments in the past two decades, change became a constant, something permanent in our lives, something we must adapt to and learn to cope with.

In fact, one the most traditional companies in terms of change management, which is Apple, has been forced to launch an automatic update for the first time in its desktop OS X history. This security update patches a serious flaw on the NTP protocol that could allow an attacker to remotely control any vulnerable device. Moreover it became mandatory for the first time, asking the system to auto-run it as soon as it connects to the Internet.

Tuesday, December 23, 2014

Technology is neither good nor bad; nor is it neutral

Melvin Kranzberg was a renowned history professor who lived his student years in the Second World War. Knowing the influence of technology over society and witnessing that all innovations were negatively perceived by people who saw how they were used to create more and more destructive weapons, he defended technology saying "Technology is neither good nor bad, nor neutral."

"It is how you use it what declines the balance towards either side," others add as tagline. There are plenty of examples of good and bad uses of technology in history.

Monday, December 22, 2014

Clocks putting national security at risk

Egyptians measured time with hourglass, a device that controlled water flow to time actions. Even before human beings had used sundials or sand clocks. The first clocks of weights and wheels appeared at the time of the Byzantine Empire. They evolved in the Middle Ages until they got more sophisticated and reduced their size leading to the hand watch invention around the seventeenth century. Then they came the mechanical ones, later the analog and digital ones, and finally the atomic one.

All the technological network of our society is depends on tools for measuring time, ranging from the flow of actions itself to the connection and communication of data packets and the input and output of information displayed on a screen. To control all this, they were developed time management protocols such as the NTP one, used to synchronize the clocks of different connected systems preventing leaks and packet loss. But Neel Mehta and Stephen Roettger, from Google’s security team, have demonstrated that NTP is remotely vulnerable and allows to gain control of a system with user permissions. This vulnerability affects almost all systems, but it becomes critical regarding ICS and SCADA architectures, which are used for power stations, traffic lights or water purification systems.

Sunday, December 21, 2014

Top 5 Infosec links of the week (LVII)

Usually on these dates, media ask brainy experts to, after much deliberation, decide what issues will be key next year. Here at CIGTR we are lucky because our readers are experts or, at least, very curious. So, we just need to take a glance at what has most interested them on this week to find out which will be the 2015 security trending topics.

On one hand and as undisputed threat rises malware that encrypts information contained on computers and demands a ransom for deciphering it. CryptoLocker is best known but there are others, like TorrentLocker, that AV company ESET has meticulously analyzed.

Saturday, December 20, 2014

Lights, camera... Hacktion!!

"The Empire threatens 'Alderaan-Like massacre if new Star Wars movie is released". If you are a huge fan of George Lucas' saga you will know the meaning of this ironic tweet from polemic @KimDotCom (Megaupload, Mega). If not, go searching on Google the term Alderaan and quite soon you will understand.

Whether you like or not Kim's style, #SonyHack earthquake has shaken every single rock on entertainment industry. During last hours everything is going 'fast and furious', going from astonishment to menaces: FBI says that North Korea is behind attack, president Barack Obama announces there will be retaliation and even asks China for help, and more and more isolated Kim (another Kim) Jong Un's Korea replies that they don't know what this 'movie' is about.

Friday, December 19, 2014

A quick approach to cybersecurity in 2015

The picture you can see attached to this article is commonly used in Internet memes about ironic situations: a college of architecture and planning so badly designed that there is not space for the first letter of the sign? Well, last year ended in a similar way in terms of cybersecurity: a well known retail chain called Target (target) became target of cybercriminals in one of the most famous operations carried out so far.

But Target’s story is still making headlines. The researcher Stephen Cobb has analyzed the 12 months following such assault and extracted some lessons for the future: you must pay attention to internal accounts and networks; you must add good technology, good people and good leadership; you must assume that politicians are not doing enough, and companies themselves either; and it should be clear that smart chips alone are not going to end cybercrime.

Thursday, December 18, 2014

The Great Dictator, the Great Hacker

"Our knowledge has made us cynical. Our cleverness, hard and unkind. We think too much and feel too little. More than machinery we need humanity. More than cleverness we need kindness and gentleness. Without these qualities, life will be violent and all will be lost..." 'The Great Dictator'. Charles Chaplin. 1940. This is one of the most vibrant, emotional and immortal speeches in the history of cinema .

Would we have been able to watch this movie if criminals paid by Germany had put on its knees the entire film industry in the World War? In fact, it seems that something similar happened with Sony Pictures, after getting hacked by cyber crooks. The group is apparently funded by North Korea and managed that the company cancelled the release of ‘The Interview’, a political comedy that makes fun of Kim Jong-Un. Just like the immortal Chaplin did with his story about the human aberration that Adolf Hitler meant.

Wednesday, December 17, 2014

Cyber weapon creators and the Hephaestus' forge

It is said about Hephaestus, son of Era and Zeus in Greek mythology, that he was born deformed and was thrown into the sea where two mermaids saved him and hid him in a cave. In such cave he will eventually learn the secrets of the forge. This is why he is called god of fire and the forge. He create weapons and utensils considered relics of the gods, such as the chariot of Helios, the helmet of invisibility of Hares or the arrows of Eros.

Hephaestus is also the god of blacksmiths, craftsmen, sculptors, and he could also be the god of malware developers. With its anvil he worked with metal as cybercriminals work with bits, shaping powerful cyber weapons.

Tuesday, December 16, 2014

You could pay a high price for these blunders and mistakes

"Blunders." Whether they are intentional or not, it is common to find these small mistakes on everything we do. They are sometimes funny and not very serious, as some bloopers in a film production. For instance, that plane that flies behind Achilles in Troy, or the glove that showed up and disappeared on Han Solo’s hand in Star Wars. But small blunders can sometimes be crucial for the success or failure of a malware campaign. Friends of the CIGTR, are you ready? Let's start.

A Chinese security company called 360 warned this week of a new threat to Android devices. The creature has been dubbed Fakedebuggerd. It is a malware that uses rootkit techniques to ensure the persistence on the system. Thus it drives users crazy with alleged flashlight or calendar apps which appear and disappear from the list of installed apps. It also hides an APT that steals private information: network names, calls, SIM card information, firmware...

Monday, December 15, 2014

Not very optimistic digital Christmas: security breaches and attacks on privacy

"We are preparing for you a Christmas gift," Guardians of Peace said in a post to both Pastebin and Friendpaste. "The gift will be larger quantities of data. And it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state.”

This cybercriminal group behind the attack on Sony Pictures’s infrastructure is threatening to disclose more confidential information if its demands are not met. This kind of attacks are saddly making headlines today too. Around 1600 (physical and virtual) Linux servers and 811 Windows servers have been violated. About 3000 personal computers of employees in American territory, and 7700 world wide have been compromised. More than one terabyte of private (and sometimes critical) information has been disclosed on file and torrent sharing websites. Even the internal certificate of your company could be already being used to spread self-signed malware.

Sunday, December 14, 2014

Top 5 Infosec links of the week (LVI)

What's Lizard Squad? Possibly this name will sound familiar just to a few readers, but things would change if we clarify that it's the group responsible for recent cyber attacks that have stretched PlayStation and XBox Live online sites. Both actions have been, by far, the most read stories this week.

No wonder, considering that online gaming is one of the main interests on the Internet and any interruption is widely commented. Bad hackers know it, as Lizard Squad, one of the most active computer crime gangs, devoted in body and soul to attack the video game business. And so they are doing: PlayStation website was inaccessible during all Monday. And Microsoft's XBox Live suffered a heavy Distributed Denial of Service bombardment that left the service KO last weekend. To make matters worse, Lizard Squad has announced that will knock Sony again this Christmas.

Saturday, December 13, 2014

Don't let Internet sour your holidays

Christmas holidays are the perfect time, with all this cold and lot of leisure, to spend more hours than normal on the Internet or do more shopping online. Criminals know this and have everything prepared for Christmas season, including fraud, theft, extortion, intrusion on companies, etc. We do not intend to scare you nor embitter your vacations, but we think that to put a point of attention and awareness in our cyberlife would not hurt us in these days.

Warn about Christmas risks the results of a survey conducted by BalaBit on privileged users, as managers and executives: 70% of them will connect from home to their corporate network on these holidays, to check email, half of them several times a day. And the vast majority will use for these connections either their own, a friend's or a public device, as public wifi networks, extremely dangerous because criminals may be listening. To make matters worse, 38% of respondents have not been asked for extra levels of authentication when connecting to the company network from a device that has not been registered.

Friday, December 12, 2014

The Internet of Things: a clear target in 2015

The connected world, this technological transformation that breaks geological and temporary barriers, and quantifies the real world, providing us of measurable variables. It is an ecosystem of wearable devices, mobile devices and home automation devices. The era of the Internet of Things is coming. But like any other paradigm shift, it brings associated risks.

The Internet of Things is made up of billions of devices running over different protocols in a fervent struggle to get the leadership of the sector. The implementation of several protocols with different vulnerabilities without a standardized control could affect even your life when an attacker takes advantage of such vulnerabilities to compromise medical technology.

Thursday, December 11, 2014

Everyone has a hacker inside them

1961 is one of the most important dates in the technological world. In that year, the Signals and Energy committee at the Tech Model Railroad Club got one of the first PDP-1 computers. This group would become later the core of the Artificial Intelligence Laboratory at MIT, the top IA center in the world in the early 80’s. And it will eventually introduce the term ‘hacker’ in the collective consciousness.

Hacker is one of the most controversial words in recent years. Hacker has been commonly used as a synonymous for digital intruder. For example, for the guys behind vulnerabilities as the POODLE’s one. Actually this platform has swap from SSL to some versions of TSL protocol. But you won’t be free bug even if you disable SSL backward. The TLS 1.2 version seems to be vulnerable too.

Wednesday, December 10, 2014

Past, present and future of IT security

In ‘Back to the Future’ movie (1986), Robert Zemeckis (screenwriter) pictured how he imagined the world in 2000. It was a world with flying vehicles and wearable technology, where people were still going to coffee shops to enjoy pancakes with ice cream and chocolate syrup while reading... a digital newspaper.

2014 is about to end and the Marty McFly’s seems to be so far away in time. However we are close to live in a permanently connected world with all the technology needed to feed our voracious appetite for information. McAfee Labs describes the main trends in cybersecurity for next year on its latest threat reportAnd yes, the internet of things as well as wearables and mobile devices appears as primary sources of risk.

Tuesday, December 9, 2014

Several tips on freedom and privacy on the Internet

Don Quixote said to his unshakable squire: "Freedom, Sancho, is one of the most precious gifts that heaven has bestowed upon men; no treasures that the earth holds buried or the sea conceals can compare with it; for freedom, as for honour, life may and should be ventured." The 'nobleman’ took this ode as a principle while he was making his way through the yellow fields of Castile as in a heroic epopee.

Freedom remains as important for the future of society today as it was then. But freedom is encapsulated under self-control principles that allow collective life. And freedom is continuously suspected of being put under government control, including censorship, as GigaOM recently demonstrated on a study (PDF version) that analyzes its progress in 65 countries in 2014. Russia, Turkey and Ukraine are the ones where censure level is the highest; Iran, China and Syria are the ones most limited in terms of personal expression.

Monday, December 8, 2014

Millions of users on the crosshairs of crime industry

The video game world holds 9% of the entire cybercrime industry. This 9% representing hundreds of millions of annual losses for video game companies, and millions of profits for evil minds. In fact it is one of the four most attacked targets on the cyber environment, and perfect breeding ground for all techniques of extortion, denial of service attacks and theft of data by black hat "hackers”.

Lizard Squad is one of the most active groups in the black market. It has marked this bank holiday in Spain to carry out its misdeeds: two major attacks on two of the three major gaming ecosystem.

Sunday, December 7, 2014

Top 5 Infosec links of the week (LV)

It's a love-hate relationship we have with technological devices. First, they're our object of desire and we spend huge amounts of money on them. But, on the other hand, as they become more complex increases our ignorance about how they work and how to use them safely. So, we fear them. That's why most of our top read stories this week (and most weeks) are related to dangers lurking in our digital life.

Our top news this week relates to several Chinese mobile phones, cloning well known brands, sold with factory installed Trojans, namely a malicious code on your phone's firmware which allows installing software without owner's knowledge, data monitoring and even identity theft.

Saturday, December 6, 2014

The hack of the year

In the good old days it was said that the network grew so as exponential that a year in the Real World were seven years on the Internet. This rate of growth has been slowing, except in some areas where research continues and new software, new theories and new experts constantly appear. As in social media marketing and, to a greater extent, computer security, a world moving relentless, plunged into an arms race unstoppable today.

Undoubtedly, the hack of the year and next is the attack against Sony corporation by a group calling themselves #GOP (Guardians Of Peace), with pad included in its name, born to be trending topic. To the mystery about attackers' origin and motivation (it was said it was an attack by the North Korean government but today many experts doubt about it) we must add their disproportionated actions: they've disseminated on the Internet films not yet released, documents that reveal the salary of senior executives and, today, we know they are sending emails to Sony employees, threatening to attack them if they do not sign a letter against the company.

Friday, December 5, 2014

Don’t let your lack of digital knowledge make you weaker

Cleobulus, known as one of the Seven Sages of Greece, launched a personal crusade against ignorance. A quote attributed to him says “Ignorance and talkativeness bear the chief sway among men”.

Such ignorance is used to weave the dark and harmful side of technology. As an example, several Chinese popular cellphone clones are sold within a malicious software on their firmware. This software allows to install external packages, monitoring data consumption and even steal the identity of the user. If you have chosen a clone device, watch out! Don’t let ignorance make you weak.

Thursday, December 4, 2014

Your salvation on the Internet depends on two human variables

“I am I and my circumstance; and, if I do not save it, I do not save myself.” You may already have heard these words more than once and certainly this will not be the last. This way Ortega y Gasset explained one of his philosophical pillars, vital reason. Every person (user) is influenced by two factors: what he thinks and what he lives. We can not understand human nature isolating reason (absolute concepts) from vitality (subjective experiences).

In this sense, Internet understood as a technological network created as a reflect of our communication ability can not get away from this fact.

Wednesday, December 3, 2014

It was accidentally on purpose, as digital hook

Last week passed Roberto Gómez Bolaños, better known as "Chespirito" or "Chavo del Ocho". One of these humorous artists with whom we grew up, he coined the famous phrase "It was accidentally on purpose".

Cyber attackers have hurried to exploit the tragic news for malicious purposes. A sponsored tweet (for now in English, although we expect its spread in Spanish and Portuguese), invites the user to access a page with supposed new information about the success is exploited to send victims to an infected domain, or to download an adware app. Let's be very careful with shortened links.

Tuesday, December 2, 2014

The Hitchhiker's Digital Guide

Imagine a morning like today, someone bites your door and gently notifies you that your house will be demolished. A similar situation (in fact, literally similar), just changing 'home' for 'planet', was what Arthur Dent had to live in "The Hitchhiker's Guide to the Galaxy", the first novel of the saga with the same name, written by Douglas Adams and whose format resembles more the classic step by step tutorial about what we should not to do in accordance with what’s happening.

If Adams was able to write five novels under the same prism, shall we not be able to lecture us accordingly with the day's news in computer security? Digital Hitchhiker, let's do it.

Monday, December 1, 2014

Enjoying the International Computer Security Day in the best way

The "International Day of Information Security" is celebrated on November 30th since 1998. This date is good for every one who work involved in computer security to raise awareness about the important role that information security plays nowadays. Last November 30th was Sunday, so let’s start this week dipping into some of 'hot' headlines of the weekend, all of them, of course, related to privacy, security and exploitation of bugs.

You can spend the International Computer Security Day in many different ways. For some people, information security and the right to privacy is above global interests. For others, the end justifies the means. This is why the abuse on personal information is reasonably accepted at some specific areas. For intance, when a judge requests the intervention of the digital accounts of a suspect. But what about when this is done in bulk, whether the citizen who is being spied on is suspect or not ?