Thursday, December 31, 2015

The thing goes of compilations


Well, we are in the last day of the year. A year charged of news we tried to give you in the quickest and funniest way we could. A year enjoying the benefits of technology and warning about  their risk. An year's end we want celebrate with you as best we know: with a compilation of articles which are compilations of the hottest topics of this year, and we expect see in the next year.


Wednesday, December 30, 2015

Battlefield, the cyberspace


Matrix (1999) expose in a very clear way a incoming reality: the reality of the third environment, the cyberspace like a real battlefield.


Tuesday, December 29, 2015

The two faces of technology


The technology get the best and the worst of each people and each society. As soon as we are before an advance without precedents in the history of our community, we are before the biggest atrocity. And all of this thanks to the possibilities of the technology.


Monday, December 28, 2015

It's difficult not think badly



These times are to spend with the family, to take some gastronomic licenses and escape of the daily routine. But we don't forget the security challenges of all these system that surround us. And that's why we shouldn't leave the daily informative pill.



Sunday, December 27, 2015

Jorge Ramió: "There's a looming threat over critical infrastructures"

Jorge Ramió. Professor of security and criptography.

If there is an archetype of venerable university professor in Spanish computer security community, Dr. Jorge Ramió Aguirre is definitely that one, from the Department of Information Systems of the School of Engineering Systems at the Polytechnic University of Madrid (UPM). We may read on his personal website that he is just 64. His son is "also an engineer, MBA and deejay", as the doctor details via mail.

Small complexion, Dr. Ramió affectionately reminds us Speedy Gonzales because of the constant stream of energy he generously pours in the creation of interesting projects, which have put the UPM on the map of the Spanish hacker community. When George is not organizing a security conference, he is turning his crypto lab software into an eBook. Or imagining new multimedia lessons about who Alice and Bob were and what did they do with the keys. It's all public and free. Definately, it's really, really hard not to get passionate about this passionate man.


- How do you do to be always smiling?

- It Is the fact of being happy with what it's done. Knowing that you are contributing with something to the universal culture, even if slightly, something that will serve someone; being always with new projects to be thought and renewed. And obviously having a family that supports you, because they know that all this time dedicated to information sharing for free, makes me feel happy, helpful and fulfilled.

- Your most renowned project is Criptored.

- It was born on 1999 December 1, with the main objective of becoming a social network of computer security professionals, and a website to share information, not only in Spain but throughout Latin America. In February 2015 it reached over a thousand members, representing 23 countries, and in September a professional group on LinkedIn was created, up to 1,887 members in just three months.

During 16 years, Criptored has been leading various projects related security divulgation: 8 CIBSI congresses in different countries of Latin America, the visual encyclopedia of information security Intypedia, the first MOOC in Spanish Crypt4you, the Information Security Teaaching Map MESI, Thoth training pills, online training with leading experts as guest lecturers.It also has delivered for free more than 5 million documents on the Internet.

- Why did you turn it on?

- It waas born after a discussion via mailing list between several security proffesors in mid-1998, about which area of knowledge was most appropriate for teaching security and cryptography. I noticed that we were a good number of teachers excited and interested on exchanging our documentation, and I wondered why not to centralize all that effort on a webpage, since there were still no social networks.

Moreover, I saw that this could help many colleagues and friends from other universities in Latin America that were a few years behind Spain on issues like teaching information security. In recent years Dr. Alfonso Muñoz is colaborating with me, and from the beginning I'm so lucky that another university colleague, Mr. Daniel Calzada, is joining this project.

- What is the secret of that success?

- The love we put into things to go well, and something that has a very little value here in Spain: innovation. I show these three examples: The Intypedia project, born in 2010, was the first to teach security through videos with avatars and we are reaching 600,000 views on YouTube. We could not go on due to lack of sponsor. The MOOC Crypt4you 2012 was the first in Spanish and almost simultaneous with the start of the MOOCs in the United States, long before the MOOC's fever invaded the Spanish universities; it is an active project and we are also around 600,000 visits.

Finally, training pills Thoth with the financial support of Talentum Startups to pay interns and born in 2014, was one of the first of its kind and there is no other similar example in the Spanish language. Keeping the proper proportions, the closest would be Khan Academy, but the budget difference is astronomical. With over 30 published pills and 55,000 views on YouTube, the goal is to continue publishing at least one pill a month. These media scope in other countries could be considered worthy of an institutional support, but not here in Spain. Moreover, in the field of academic recognition this work is useless.

- When I talk to young professionals in computer security, college educated, they always tell me that they can only learn by practicing. Does that mean that college teaching is wrong?

- In security is very difficult to cover many aspects in two or three subjects, even in the best case that some college has those three subjects. And it get worse if we speak about practices. As there is not a longer route or expertise in security, in the end you have to choose to impart the basic knowledge on security, encryption, regulatory, security management, network security... and you can not give more, leaving out many other topics that are interesting for the performance of a professional security and, of course, most of those missing practices.

Due to the high demand for cybersecurity experts and interest of young people in everything about it, from a few years ago there should be a university degree in security, but no one dares to take the step, even when they are all crazy about security masters: there are already 26 in Spain, and growing up.

We have dozens of issues to make an excellent security engineering degree, but the trick is to have a dozen expert teachers, even more in the current situation of Spanish universities where there is no generational change. The young people and security experts can earn three to four times more in other sectors.

- Your projects Thoth, Intypedia o MOOC Crypt4you, using audiovisual and distance learning, are a sample of how you would teach security in universities?

- Yes, in fact the aim of Thoth project is to generate a large multimedia book that can encompass many issues of security and that, by itself, sets up a complete teaching tool. I usually use that material in my classes and is crystal clear that this is an added bonus. In fact, I know that there are teachers in Spain and Latin America who use Thoth pills and Intypedia lessons to start a topic and draw the attention of their students.

- You are also author of Information Security Teaching Map MESI. Is the security teaching well covered in Spain?

- We have made some huge progress in the last five years, reaching 229 subjects dedicated exclusively to security and 89 of them are required, what is already a great success, other 122 courses partially devoted to these issues and as I said 26 masters. There are always unfinished subjects to address current topics such as malware analysis, reverse engineering, machine audit, industrial security, forensics, pentesting, critical infrastructure security, APTs, etc.

- Each day we woke up with 3 or 4 serious security news. What are we doing wrong?

- Learn this maximum: security is never possible at 100% by nature. We talk about security as a dynamic process that adapts through continuous improvement, so nothing will ever be completely secure. On the other hand, it is much easier to destroy than to build.

The problem that lies ahead is the so-called cybersecurity environment, misnamed by some who confuse it with network and information technology security. Cybersecurity unites IT world with machines and industrial systems OT world. The main aspect is the control of equipment and systems from OT world by IT systems and devices. That's the origin of word cybernetics and therefore 'cyber'. That is the great threat on critical infrastructure, because we are not talking about my PC infected by a virus (80), or the corporate network destroyed by a worm (90), even not only failures in global networks and cybercrime (00 years), but the critical infrastructure of a country, whose damage can affect a large population and even cost lives (years 10).

Text: Mercè Molist

Thursday, December 24, 2015

A computer error frees thousand prisoners before time

3.200 Washington prisoners would have been released before time because a computer error, announced by the governor's office of this state. We'll talk about this, and a new data bank theft in hotels, the union of Google and Yahoo! in a trial to eliminate the passwords and a very geek gift recommendation: a device to spy mobile phones. Let's start.



The problems in the informatic systems of incarceration facilities and it started when, by order of the Supreme Cort, the prisoners started to recieve credits of good behaviour. The change in the code caused the entering of a wrong sequences, which started to give more credits than they should to some prisoners, allowing them to be released with an average of 49 days earlier. In all, the 3% of all the releases from 2002. What we think is more serious is the error which was discovered in 2012, but it wasn't fixed until a new CIO entered in the department and notice it.


Wednesday, December 23, 2015

Oracle must help its users to destroy old Java versions

It's the first time that the powerful Federal Trade Commission of Unite States admonishes a software manufacturer for irregularities in their security updates. The "winner" is the giant Oracle and we'll see why. We'll talk about the Jupiner case and its relation with the Encryption Wars and about one of the Sweden researchers who has cracked the quantum cryptography. 



The FTC accuses Oracle for making fake statements regarding Java SE security, ensuring the system was safe after the security updates when, actually,  the process didn't erase the old an unsafe versions, installed in the computers, being a serious security problem. Oracle will help its clients to uninstall this old versions or it will face a fine.


Tuesday, December 22, 2015

Careful with mediatic intoxications about SCADA attacks in 2016

Today is the main new in the majority media specialized in cybersecurity: Iranian mercenaries would have assaulted and stolen information of a dam and an electric grid of Unite States. All the world are worried but some experts who said is sensationalism. We'll talk about this, and also the analysis to bank apps on iOS, a drug case in the Dark Web and the multiple possible attacks against... a bulb, yes.



Welcome to the advance of what we possibly see in 2016: the media, with the respectable Washington Post at the head, denounce an attack against a dam and an electric grid of Unite States and they point as guilty to computer mercenaries paid by Iran. Robert M. Lee, instructor in the course of critical infrastructures in SANS, ensures that there's too much sensationalism in the new and the planes wouldn't have been stolen of the dam systems but the contractor's computer. Read this.


Monday, December 21, 2015

Who put the backdoors in the Juniper's firewalls?

"Rapid7 has discovered a master password in one of the Juniper's firewalls backdoors. We hope it´ll soon appear an exploit on Metasploit. Patch now". This warning runs today in the cybersecurity neighbourhood on Twitter. The last Friday we warned about this serious problem and it has worsened during the weekend. We'll talk about this, and the warning made by Edward Snowden regard to Telegram, the approval of the CISA law in the Unite States and a new code to warn about legal problems in a website.



If this Friday we talked about a backdoor in Juniper devices, leader in corporate firewalls market, today we know there are two: one of them allows decoding VPN and the other one opens SSH to the attackers. Also, the company Rapid7 has discovered a password that would allow to open easily the SSH connections. Who put it there? Juniper denied it, while a lot of people remember a secret file unveiled by Snowden where he showed a NSA tool to put backdoors in Juniper's firewall. Was it the NSA? Or another government, who advantaged the hole made by the NSA?


Friday, December 18, 2015

If you use Outlook, be safe from "bomb emails"

The last round of patches for Outlook has revealed a serious risk for their users: malicious attachment can activate it only opening the mail, making unnecessarily clicking on them. We'll talk also about an important backdoor in Juniper firewall, about a big polemic which faces Facebook against a researcher and about the catalogue of devices used by the government to spy our telephonic communications.



Microsoft published the patch for this vulnerability the 8th of December, but until now we haven't got more details about this scary menace which allows to an attachment avoid all the Outlook controls and activate itself  without clicking on it. They must update this as soon as possible. It´s a specially sensible hole to corporate environments, where a simple attachment can hide the beginning of an important case of industrial spying or bank data theft.


Thursday, December 17, 2015

There're 35.000 unsafe data bases on Internet and increasing

"In this moments there're at least 35.000 MongoDB data bases available publicly, without authentication, on Internet", has written the founder of Shodan search engine, after the recent data theft of 13 millions user of MacKeeper. We'll explain this information and also the data about the global increase of data bases thefts, a serious failure in the launching of Linux and the last adventure of the popular iPhone hacker George Hotz.



John Matherly, founder of Shodan, has written on his blog the number of unsafe MongoDB data bases on the network has increased in 5.000 since the last time counted, in July. Today are 35.000, hosted mainly in Amazon, Digital Ocena and Aliyun (Alibaba). The principal problems in these data bases are the non-update to new versions and safer configurations and the unused of firewalls.


Wednesday, December 16, 2015

Blackmails by postal mail against Ashley Madison users

Today we talk about a big data robbery, the robbery on Ashley Madison, an important security failure in Joomla and another one in FireEye.


A security breach it's a big thing. Ask to users of the Ashley Madison web, which suffered the data robbery of thousand clients in summer. Given the sensible nature of the data stolen, which contains data about preferences and sexual contacts, some users have been blackmailed. The last thing are the blackmails by postal mail: they send a letter to their home asking thousand dollars in exchange of not revealing this information..


Tuesday, December 15, 2015

The security of the unnoticed


We see every day how apparently secure services fall. From antivirus systems, going through e-commerce, toys and even critical infrastructures. There's no limit to the aspirations of an intelligence agency or a cybercriminals group.


Monday, December 14, 2015

Yin-yang of cybersecurity

One thing is "who watches the bad guys" and another thing is "who the good ones are watching". It is not the first time, nor the last, that we ponder these questions. But today is one of those days that both issues may be posed. And be aware: if someone performs bad behaviour, another one with more skills would take advantage of this, and the first one will pay for both. That is, bad guys can mislead good ones by thinking that the bad guys are others. What's more: if they can do it, they will do it.
Twitter warns: there are cybercriminals spying on users, cybercriminals from... Government services, such as the US Government, and who knows if some other government. They want to get all of you: your phone number, your e-mail, your messages. Everything. Twitter has the evidence that is so, but is unable to confirm or deny whether the "agents" have achieved such purposes. Twitter has noticed affected users, and for all we know, you can find "sweet" profiles as journalists and security experts.


Sunday, December 13, 2015

Pablo F. Iglesias: "Massive tracking does not help against terrorism"

Pablo F. Iglesias. Digital watchman.


If you look for Pablo F. Iglesias in Google you will find his Twitter account, his website, his Linkedin account, his YouTube account, his About.me profile, his Facebook profile and another one on Google+. There are a lot of Pablo Iglesias in the world, but this one is a 'crack' of the social Internet and that is why he occupies the first page Google. And what are we doing talking about him, when this is a computer security blog? OK. Pablo also manages about it, hugely.

Pablo AKA PabloYglesias, was born 28 years ago in Mieres, a small mining town of Asturias. He studied Telecommunications Engineering degree, but the third year he was so bored and turned for Fine Arts. Affable man, proud dad of two cats, the beard can not hide his good person face. He works on analytical and digital surveillance for SocialBrains and advises SMEs on what is called "digital transformation". He still has time to write on his blog, placed just fourth in the Spanish Bitácoras' Blogs Awards for Best Information Security Blog.


Friday, December 11, 2015

One in three corporative computers have been attacked in 2015

The 58% of the corporate computers have been attacked in 2015, because in the 41% of the cases the malware avoid the antivirus. This is only one of the frightening numbers showed by the annual study of Kaspersky Lab about corporate security. We'll talk about it and about the infection of a text from "The Guardian", about thousands of immobilizer of  insecure cars and about the little interest of Dutch Phone House in the security of their clients.




The corporate computers are thrice more susceptible of attacks than the domestic computers according to the annual report of Kaspersky.  One in three corporate computers has suffered a web attack in 2015, in a world where the browsers and the web are now the main entrance of malware and where the ransomware increase quickly. Worth the read.


Thursday, December 10, 2015

Another media infects their visitors

Before were "The Economist", "Daily Mail" or "Reader's Digest". Now "The Independent" has been attacked and they served malware to their visitors. We'll talk today about DDoS attacks, the renovated investigations about who would be the Bitcoin father and about how easy is manipulate the black box of a ship.


We're living a campaign of infection on Wordpress sites, that in turn infect to their visitors. The campaign use the exploit kit Angler and the malware usually is ransomware, although it has seen bank Trojans. Some medias has fallen and now it has been "The Independent", which would have infected to visitors who use old versions of Flash.


Wednesday, December 9, 2015

Your car can be hacked, but you can't denounce the manufacturer

Unless the car suffer damages or an accident, you can't denounce the car manufacturer only because it has software failures. This is the judgement dictated by a judge in the United States and we recommend it today as the interesting new of the day. We'll also talk about an initiative of the same government to ensure the critical infrastructures, and a training exercise about cybersecurity for insurers. We'll finish with the bravery of a bank that refused to pay the blackmail of a cybercriminal. 

Image courtesy of Kaspersky Lab
The companies Ford, General Motors and Toyota had been defendant because different models of their cars had software failures that can be used by a hacker to take the remote control of the vehicle. The judgement says that, although it can happen, it hasn't happened yet,  and he can't sentence the companies for something that hasn't happened. We'll see if this judgment applies in the rest of the World. We suspect it would.


Tuesday, December 8, 2015

Cyber-steroids and digital hormones

And what if it's all a matter of steroids? It may seem not, but we refer to information security. New malware come with too much hormones, as if going to a hard session at an elite fitness gym, able of anything (and never good). And on the other hand, who are devoted to protect should also swallow lots of hormones to prevent, to research or to regulate. The difference between them is that breaking and destroying was always easier than fixing and rebuilding. Since the world began.
Today we face a new strain of malware designed to steal payment card data. It is nothing new under the sun, right? Well, now you must add that this malware, called Nemesis, is not only difficult to detect but also to remove. On top of that it comes packed with some skills. Among them, it is able to implement bootkit functionality, that kind of bootkit that gets installed in the warmth of your BIOS, so if someone thinks on reinstalling OS as the "magic formula"... well, it doesn't work like that. You can read the whole story on Pierluigi Paganini's blog, who echoes the finding from experts at FireEye.


Monday, December 7, 2015

If you have failed, react

If there is a kind of companies which are compromised by security mistakes, are those dedicated to cybersegurity. It´s like if a car´s brakes stop working, a judge takes an arbitrary decision or a lamp streals light instead of illuminating.   It´s an all levels crisis: corporate, reputational and turnover maybe. Except if they react instantly, as it happens on today´s case  This is one of the four issues that can not go unnoticed this Monday 7th of December. 



It was the McAfee company itself, part of Intel Security, which issued this warning: their companies oriented product Enterprise Security Manager (ESM) shows an authentication failure at admin level. That means in certain circunstances, an attacker could acces to NGCP, which is the username created by default on the first installation, without needing to check the password. The firm has inmediatly published an update patch, and recomends to apply it without delay, but also provides some tips in case you can not apply the update.


Sunday, December 6, 2015

David Barroso: "States will have less and less prominence"

David Barroso"Jack of all trades and a master of none".


David Barroso is one of the most intelligent hackers on the infosec community. He uses to say he spent 24 hours a day on his passion/job and we suspect ti´s true, because the many books he reads about the topic, how many people he knows on the international scene or the quality of the information he publishes on his Twitter account. In 1995 he started the university an his adventure on the infosec world. Today he is 38 years old, the best age to fund a startup, what´s exactly whats he´s doing. 

David looks handsome on his suit and he has travelled all around the world on business, but not many know he´s a real hacker, very active on the change of millennium infosec underground. He´s the author of exploits and tools like the famous Yersinia, created as a twosome with his friend Alfredo Andrés, which is nowadays the only one able to lump various layer 2 attacks. We herd Chema Alonso, Eleven Paths CEO, saying once "When I want new ideas, I ask to David Barroso".


Friday, December 4, 2015

Be careful with who do you accept in Linkedin

New advice coming from Symantec this time, it´s about fake profiles in Linkedin used to get access to your contacts and gather intelligence for different attacks. Today we´ll talk about bugs on most of the mobile apps, of a new ransomware campaign which steals passwords too and about the kick off  of the new Let´s Encrypt initiative, welcomed by the infosec community.



Be careful wit beautiful women assuring to be recruiters from many employment companies. They could be fake profiles created by cyber criminals who what to access our professional contacts in order to gather intelligence. Their objective could be spearphising attacks to inject blackmailing malware or spying in their victims computers. Symantec warns that this fake profiles can be found on every professional sector and not in infosec only, as it was detected on the first wave.


Thursday, December 3, 2015

Advices for buying "intelligent devices" this Christmas

Verify if the device really needs connexion to Internet, if it includes security measures in the manual or if the seller has good reputation are some good advices offered by the European organism of cybersecurity, ENISA. We'll give more advices and we'll talk about 0day regulations, about technological failures in planes and about the 7th birthday of  the Conficker worm, which after 7 years is still installed in thousands of computers.


ENISA has just published a deep report about the Internet of Things with security recommendations for builders, installers and users too. Change passwords regularly, disconnecting the device form Internet when it´s not needed, using cable connections better than wifi ones, making a proper privacy config or updating when possible are the most basic security advices. The publishing of this manual coincides with the announcement of closer links between The Home Land Security Department of the USA and Sillycon VAlley companies to reach an agreement about hou to improve the security of the Internet of Things.


Wednesday, December 2, 2015

The "cyber bad guys" don't respect neither the kids

The data robbery in the company VTech increasingly as days go by. Today we know not only 200.000 were affected but more than 6 millions and in the stolen data there were photos. The Electronic Frontier Foundation (EFF) and Google have another open front related with kids: The first charge against the second of monitoring the people who use their learning platform. And after all these mess, we'll finish with a new hope: the Let's Encrypt project, which starts to work tomorrow.




Media around the world, not only dedicated to Internet, talking outraged these days about the data robbery to kids and their parents, clients of the Hong Kong company VTech. Meanwhile, the causes of these indignation are increasing: yesterday we known the affected weren't thousand, but 6,4 millions of kids and 4,8 millions of fathers, being the most affected countries Unite States, France, Great Britain and Germany. This data was given yesterday by the company, after too many "administrative silences", seeing they can't manage this.



Tuesday, December 1, 2015

2,3 millions were stolen to a woman in love of the wrong cyberman

Falling in love online is one of most addictive and dangerous things you can do in the virtual world. The minimum that could happen is the loved person doesn't like how we imagine him when we finally met him in person. The worst thing that could happen is the loved one is a fraudster, like the case of a British woman and many others. We'll warn today about this and also about the increasing of bank attacks, about a curious complaint for using HTTPS and we'll provide you a new and interesting video of the past CyberCamp edition.

                                    

Sometimes we use this informative service to talk only about high cibersecurity, great attacks to companies or championship hacks, but we forget a very important section of victims of the cybercrime who are the ordinary people. Today we redeem us talking about the case of a British woman who lost 2,28 million of euros, defrauded by two men whom she met in a dating website on Internet. According to the police, it´s a frequent fraud but many times isn't reported because it´s a tricky question. From here we encourage the victims to report it.


Monday, November 30, 2015

Data of thousands kids and their parents was stolen

Personal data of 5 million of parents and more than 200.000 kids, with an average age of 5 years, would have been stolen from the systems of the Chinese corporation Vtech, world leader in the selling of electronic toys for childhood and preschool. The attack would have been easy, given the non existent security measures by the company. We'll talk about a VPN error which seems serious although isn't to much clear, about the CyberCamp congress celebrated the past weekend in Madrid and we'll recommended an interesting article about how the biggest companies of cybereconomy avoid taxes.



5 millions of emails with their corresponding passwords weren't encrypted and protected in any way. Secret questions were not either, of course. Names of the parents easily linked with names of the children, whose homes addresses were saved too. Now the "bad guys" can know Mary is 9 years old, where she lives, what's the name of her pet and who are her parents. The company didn't know the existence of SSL and they have taken 15 days to give an answer: "Luckily they haven't taken financial information". Sorry for the expression but this is pathetic.


Sunday, November 29, 2015

We can´t keep hidding behind risk analysis

Antonio Ramos. CEO of Leet Security.


Antonio Ramos has a solid CV in cybersecurity. Not only for the places where he had worked or the amount of certifications he has (we swear he has more than José Selvi :), but also the quantity and quality of the organizations he belongs to, starting from the Spanish chapter of the Cloud Security Alliance, of which he is founding member; ISACA Madrid, where he was president and now vice-president; the European cibersecurity organism ENISA; ISMS Forum Spain or the Spanish Association of Certification and Standardization (AENOR).

But when you met him in person, all these headlines and baggage take a back seat and are his humanity and sympathy the things you'll remember. Antonio, 42 years, from Extremadura living in Madrid, in addition of being expert in cybersecurity has a tradesman´s soul and is one of the few people in this savage world who dare to undertake without dying while trying. Member on his own right of the business sector (the real one) of the Spanish cybersecurity, is one of the closer members.


Friday, November 27, 2015

Windows Phone has fallen finally

It seemed impossible because Microsoft and Nokia had ensured for the difficulty of someone could  break the guards of the Windows Lumia smartphones , but finally a hacker called HeatCliff made it. We advise today also of a new malware campaign in websites that affects to the popular "Reader´s Digest", we explain how a criminal is blackmailing a bank of Arab Emirates and we are going to finish with a text for thinking... all the weekend



HeathCliff didn´t break only the guards of the Windows smartphones, he has also created a free tool called "Window Phone Internals" to let users of this device to unlock it automatically and even create personalized ROMs. The tool works in every versions of Windows Phone 8.1 and Windows 10 Mobile, which makes it really interesting.


Thursday, November 26, 2015

Security holes in web stores menace the Black Friday

The Black Friday is very close and the entire world is ready: some stores are elevating the prices, as it is warned via Twitter, other are improving their security before the spected avalanche. Today we'll talk also about a ransomware for Linux, a millionaire robbery in Russian banks, about a scandal suspected by a lot of people and a recent discovery from a study: milliosn of devices have the same key encryption.



While the rumours about something has happened to the credentials of some Amazon clients are increasing, and the company has asked them to change their passwords, we don't know if it´s caused by a security breach in Amazon (something improbable) or other reasons, it has revealed a critical vulnerability in the popular  sales management system Zen Cart that could allow attackers to infiltrate in the servers and install malware to infect the guest or get the data of the buyers. A few hours before the Black Friday is questionable that the stores, enough busy, will start to patch their systems, so be careful!


Wednesday, November 25, 2015

This little thing knows your credit card number and doesn’t need the pin to empty it

The researcher Samy Kamkar caused a really mess this time: he discovered that using a credit card it was possible to guess the number of the new credit card sent to their owners by the banks when the actual expires or is stolen. He combined this knowledge with the possibility of shopping without entering the correct PIN and he created an infernal device on sale for 10 $. If after that shock somebody can keep reading us, we will talk about why Yahoo doesn’t like adblockers, how Facebook warned to government employees that they had been hacked and our reader will join us in the reflection on the called “cyberterrorism” and if it is a real menace.

Samy Kamkar warned to American Express about his amazing discovering but the entity didn’t pay attention because, although the device predict the number of our future credit card, it can’t do the same with the 4 control digits, removing the possibility of shopping in stores where this is asked as a security measure. Not idle, Kamkar decided to show them the danger is real, building a device to emulate credit cards allowing to shop in stores or restaurants, without entering the PIN. Now American Express pays attention and they assures they will solve the issue soon.


Tuesday, November 24, 2015

Epic Fails: Dell, Wired and the Greek Prime Minister

Today, it looks like we are on Epic Fail National Day: to start, the discovery of Dell computers bought since august 2015 have a serial certificate the company didn´t notified about and could be dangerous to user´s safe browsing. To continue with the mistakes, some days ago the “Wired” magazine showed as the ISIS manual in Internet what it´s really is harmless manual for journalists. Later, we have the Greek Minister doing official pictures with a post-it on his side with a written password. At last, a guy is crying in Twitter, repentant because he helped to kill to the CyberCaliphate leader. 



Dell´s response has been impeccable, or almost: as soon as the notice in Reddit was known, Dell has launched a note explaining the certificate preinstalled in their computers, with the private password included, served to give more information to their online technical service. Dell offers a tool for uninstall it and also manual instructions. But what they don´t tell is that two weeks ago some researchers contacted to the company to notify the failure and they didn´t mind. They don´t tell either that this certificate could be used to steal personal data or to make users visit webs thinking they are secured.


Monday, November 23, 2015

"Top Secret" information from USA is avalaible for hackers

An audit by Department of National Security of the United States has unveiled the existence of at least 17 databases with "secret" and "top secret" information with vulnerabilities which left them vulnerable to any malicious hacker. Who says “I knew it” here is the demonstration. Today, we will speak about new data robberies in a hotel company, Starwood; about an analysis of TrueCrypt program which has revealed that the vulnerabilities unveiled some weeks ago weren´t so horrible and bout a fair in Paris, a few days after the terrible attacks, it united to guns and cyberweapons dealers from all around the world.



According the audit by DHS, 136 of their systems have software that hadn´t been updated correctly, so they are open to cyberattacks. Of these 136 systems, at least 17 would be databases with information classified like Secret or Top Secret. In addition the non updated software, inspectors detected weak passwords, webs vulnerable to Cross-Site or Cross-Frame-Scipting attacks and wrong configurations. It´s necessary to clarify that the rest of countries doesn´t make these audits and if they would do it we would enough to tear at their hair. So, the news is not the failures fond in USA systems, but the USA has had the courage to analyze their systems. So, the news, should not be the failures found in USA systems, of but the USA has had guts to analyze their systems.


Sunday, November 22, 2015

Yago Jesús: "I spent one year in a police bunker to implement the DNIe"

Yago Jesús, co-founder of Security By Default


Men like Yago Jesús aren’t from Mars. Are from Saturn at least. Yago gives the impression of a mysterious being even for a lot of his friends. Serious, cold head, just his presence command respect and, like happens with other hackers, an invisible barrier looks separate him from the world. That doesn’t mean that they’re rude or they don’t care of anything: they just live above the rest of us, in an abstract mental corner. “I have a high sense of my personal and private life, I don’t like air my live, I suppose that’s why you don’t have many data about me”, says Yago Jesús when I asked him for his age or place of resident.

He encourage me to find information in an interview made by Chema Alonso who, confessing he isn’t very familiar with him, praise that he could “move at ease analyzing a hexadecimal uploading or managing the 2.0 image of a company”. Yago gave data about his work there: “I participated in one of the most important deployment in Europe for ‘The ruling ISP’, (also) we built the security department for another great ‘wire’ ISP. (…) I designed and developed a tool to encrypt mobile devices for a bank entity. I was with the responsible of the security and monitoring area in a military project…”. 


Friday, November 20, 2015

This is how the Russian cybercrime works

Kaspersky Lab gives us today a new report about how do cybercriminals work . This time they talk about the Russian cybercriminals, specialized in financial crimes and everything related to stealing money on Internet. We’ll talk about this interesting study and also about a phishing incident in the World Bank, about some good measures taken by the north American FTC to finish with online fraud and we’ll continue with the CIA´s social network strategy.

Someone said once that the Russian cybercriminal were the best hackers in the world. Reading the report made about them by the cybersecurity company Kaspersky Lab, we don’t doubt it. From credit data trade until DDoS attacks and most risky financial crime, like the direct robbery of the users, companies and even bank accounts, the cybernetic thieves from Russia and the old URSS are really good. We really recommend to find a moment to read it.


Thursday, November 19, 2015

The 0days seller Zerodium publishes his price list and there are some surprises

What would you say is more expensive: an exploit which attacks an unknown failure in the Tor browser or in Android? …, …, …, Who have thought Android, because the elevate number of failures discovered daily, are wrong: is cheaper an exploit for the browser Tor, which isn’t the same as the theoretically super secure network with the same name. We’ll keep talking about that and, also, today we highlight the increasingly complexity of the bank Trojan Dyre, the discovery of a botnet which has deceived a lot to announcers in the network and an opinion text which advocates for the “sensible divulgation” of computer failures.



Zerodium, the 0day exploits and other advanced cybersecurity tools seller, has made something unprecedented until now in his business sector: publishing his price list. In this price list we can see that the most expensive exploits are the exploits which attacks the security in smartphones: a 0 day for Android and Windows Phone cost more than 100.000 dollars, being the iPhone exploit the most expensive: more than 500.000 dollars. Instead, the 0days for traditional operative systems: Windows, Mac OS X and Linux, cost “only” 30.000 dollars. We encourage our readers to see the price list, which is also well designed to facilitate the reading.


Wednesday, November 18, 2015

The experts doubt that a serious terrorist uses Telegram

The attacks of Paris have initiated a tsunami in the network and outside, where the defenders and detractors of the encryption are arguing, fed by the secret services, which are exploiting the situation to ask more money and the expansion of their monitoring capacities of the population, meanwhile the activists say that so many monitoring hasn’t avoided the attacks. Meanwhile, Anonymous entangles the situation launching cyberattacks on ISIS and they call them “idiots” and “lamers”. Writting a quality post about cybersecurity without dins among so many noise was hard, but we think we made it.

                                          

About the “mess” in hand, we´ll just highlight a text about the allegation that the terrorist used the messaging app Telegram, which allows encrypted private chats. The recognized security expert The Grugq explains that, although officially nobody has broken the encryption of Telegram, “personally I wouldn’t trust that the encryption of Telegram would protect me from an adversary in the shape of a nation”. Moreover, hoping the terrorist would use only Telegram is candid, given the multiple possibilities offered on the Internet to hide their communications, mentioned by Lorenzo Martínez in “Security By Default”.


Tuesday, November 17, 2015

The encryption of Windows Bitlocker could be decoded in seconds

The Bitlocker hard disk encryption software, very popular in Windows systems, don’t encrypt the data as safely as we think: an easy trick allows to hack it and that’s why Microsoft corrected it so quickly, in its last security update. We´ll also talk today about the controversy about how much the encryption helped terrorists in Paris, we’ll discover so many failures of one of the more used software platforms in the corporate world and we’ll know finally if it is safe to log in a website using our Facebook credentials.

Microsoft has patched a vulnerability which allowed attackers with physic access to our PC or laptop to reach our encrypted data using the Bitlocker tool. Ian Haken, from Synopsys company, published the last week his research, which uses a fake domain server to get the passwords of encryption, saved in the cache by Windows. A few weeks ago, were discovered failures in other encryption data program for Windows, TrueCrypt.


Monday, November 16, 2015

The USA military armament has “great cybersecurity failures”

The military artillery systems are part of the Internet of the Things too and, like this, have important cybersecurity failures. The USA Government  will dedicate 200 million dollars to securize them better. We’ll see if they achieve it. Today we talk also about a virus which entered in a police’s camera, of thousand vulnerable Java applications and also about fatal 0day on Chrome.



The president of the Unite States, Barack Obama, has compromised to sign an order for the Pentagon to secure its weapon systems against cyberattacks. The last year, a complete inspection of armament detected “important vulnerabilities” like misconfigured programs, weak passwords and another failures that allow to assault the systems with “amateur-intermediate” level skills. Another analysis make to drones, sensors, missiles and other systems detected similar problems.


Sunday, November 15, 2015

"There are many companies spending a lot in security without thinking"

Juan Antonio Calles. Cyber Security Senior Manager in KPMG Spain

Juan Antonio Calles (on the left in the pic) and Pablo González, who we talked with in this same section a about two months ago, form an unusual friendship tandem in the individualist world of the cyber security. Juan Antonio, Juanan for friends, began in this world when he started as an intern in the company Informática64, today Eleven Paths. But Juanan toke many years playing with computers, specifically and this isn’t a joke, since he was 4 years old, when his uncle Juan Luís gave him an Amstrad CPC 464. His uncle didn’t stop and kept on giving him his used computers, as well as the necessary knowledge. 

Actually, explains Juan Antonio, today 28 years old and living in Mostoles, what always attracted his attention was “being an undercarriage designer, like Scaglietti or Pininfariina, I spent all day drawing cars”. But the influence of his uncle was stronger and, on top of that, his friend since he was 8 years old, Pablo, is dedicated to computing too. So he was condemned: Juanan signed in the university while working. In March 2014 he created his own company, Zink Security, which was sold to the multinational KPMG six months ago.


Friday, November 13, 2015

The good life of cybercriminals

“The first impression of the Brazilian cybercriminals is they love boast of the money stolen and the good life of being a criminal. They compared themselves to Robin Hood”. That’s the beginning of an interesting report about the Brazilian computing underground, made by Fabio Assolini. Today we talk about other criminals too, like the criminals who rent ransomware services, or those who make DDoS attacks and ask for a rescue. We found a lot of different people in this world, even managers from Apple who don’t need criminals to create a great chaos. 


The report “Beaches, carnival and cybercrime: a look to the Brazilian underground” by Kaspersky Lab makes a conscientious analysis about one of the older, more creative and more colorful cybercriminal communities of the world, specialized in bank Trojans and phishing campaigns. During many years, Brazilian laws didn’t contemplate the cybercrime, which has made grown up this community with a high sentiment of impunity. So, they boast about the money stolen, their luxury life and the prostitutes who hire in the pics the show on social networks. Interesting reading.


Thursday, November 12, 2015

Amazon sells tablets with virus

It Isn’t the first time that smartphones, tablets or even computers go on sale with pre-installed malware. Especially if are made in China. What is unusual is that this devices are sold in trustfully shops like Amazon. We talk about that, in a day with really big news: It has been discovered that the company responsible of the telephone service of the USA penitentiaries had  recorded conversations between prisoners and lawyers ,also that the FBI paid to a respected university to hack Tor and finally that the calls made using the new Samsungs can be intercepted… without being the operator or the police. 


According to a report by Cheetah Mobile, more than 30 Chinese Android tablets brands sold nowadays in Amazon and other online stores would have preinstalled the Cloudsota malware, a dangerous Trojan which can install adware, steal data or kidnap the results of a search. Cheetah Mobile provide a list of brands infected, which would be in the stores since months and more than 17.000 units were sold  in 150 countries, especially in Mexico, Unite States and Turkey. The most painful thing is, despite of been advised, the online stores, Amazon included, didn’t retire the tablets. The infected users are who warn the people of the problem in the comments of these products.


Wednesday, November 11, 2015

The biggest finantial hack of the history revealed

Yesterday the Justice Department of the Unite States told the world an amazing story: how three men, two of them arrested this July, planned the biggest financial hack of History, in which they won more than 100 million dollars. Today is a trending topic of the digital media and we try to resume it to our readers. Also we talk about the sale of nuclear plants 0days, about pentesting with drones and a revealing interview with the ex-director of the Spanish National Intelligence 
Center (CNI).

                                       
They are allegedly the responsable of the biggest data robbery to a bank, JPMorgan in 2014, where they obtained personal information about 83 million of people. They assaulted too other banks and financial centers, among them E*Trade and Scottrade. They used the stolen information to artificially manipulate the price of the shares of the stock market and laundered money with the help of online casinos and a web of Bitcoins exchange. One of them, Joshua Samuel Aaron, 31 years old, is still still being sought.


Tuesday, November 10, 2015

A “bad guys” critical failure allows to decode the Linux ransomware

Yesterday, astonished and frightened, we related the emergence of a ransomware that attacks Linux servers. Today we have a smile in our lips when we explain the ending: the ransomware is badly encrypted, so it’s possible know how decode it. We´ll also talk today about the unbearable vulnerability of Adobe Flash Player, the increasingly laziness in the world of certifications and about an intrusion quite soundly in the networks of the Britain Parliament. 


Since yesterday many webs infected by the ransomware Linux Encoder1 have been discovered, the malware uses the hole in the e-commerce platform Magento to enter in the servers of Linux, encrypting their contents, backups included, and asking for a rescue of 1 Bitcoin. Luckily, the firm Bitdefender has discovered a huge failure in the encryption that allows to infer the decoding password. They have created a tool which do it automatically and they offer it by free. But nobody should lower their guard, because for the criminals it’s as easy as releasing another ramsonware, this time without failures.


Monday, November 9, 2015

Even more dangerous: now ransomware infects websites

Ransomware is a good business for computer crime, so much that it evolves into new and sophisticated ways. One of the most dangerous opens Linux.Encoder.1, a ransomware able to attack web servers with Linux operating system. There is a lot of business that may become victims of this new virus... better not to guess it. Today we will talk mainly of attacks: DDoS against ProtonMail goes on, as well as CiberCalifato resurges and some kids called Crackas With Attitude play Billy the Kid with the CIA and the FBI.

New ramsomware, discovered by Russian security firm Dr. Web, raided webpage of a designer using ecommerce platform Magento without patches. Last April, this flaw was announced, and that's what virus took advantage of to get into the server. It encrypted the whole home, backup directories and folders linked to web server, with files, images, libraries and scripts. By the moment, no antivirus is able to detect this ramsomware.


Sunday, November 8, 2015

Deepak Daswani: "Don’t fight against envy, transform it"

Deepak Daswani. Communicator and IT security expert.


Deepak Daswani is known by his work, in the last two years, as the Security Evangelist of one of the main cybersecurity state centers in Spain, INCIBE. When you know him you realize they made the correct decision choosing him: topic expert knowledge, perfect word, emotional intelligence, diplomatic spirit and a really good looking like not much people in the hacking world; 1,95 of height and 86 kg of muscle forged by boxing and weight training. Slurps, would say some female hacker, but no. Dipu is happily married, he has a beautiful 3 years old daughter and he's a little shy at the beginning, not a heart breaker.

He's just landed in Deloitte's CyberSOC Academy, his new work after leaving INCIBE recently. There, he’ll keep teaching, educating and, in the end, evangelizing about IT security, but with the option of sleeping every night (or most of the times) at home, in the Canary Islands. He’ll keep collaborating in media, but without stress, helping to “translate this world so technique and complex into a clear language, so the spectator could understand it”. This, this is his gift.

-Well, and the music?

- It's one of my biggest passions, besides hacking. When I was a child I played organ during 8 years with the Yamaha Japanese method, and I love be a DJ too, in the Canary Islands there’s a lot of DJ and electronic music culture. I played like an amateur in some parties, weddings and this kind of stuff.

- Are you Spanish?

- Yes, I’m canary with Hindu origins. In Canary Islands there’s a big community of hindu people with electronic business. I was born here, from the second or third generation, a real canary with an Hindu origin, but it also generates confusion because I’m not the common hindu for my look (i'm not brown, rather the opposite)… so I go unnoticed.

- Your name would have been a little cross for you...

- When I was a child it brought me a lot of problems at the school. When calling the roll and the teacher was new and he jammed, I knew it was my turn, like in the University… but it has good things too, because now, that in addition of giving conferences I collaborate with a lot of media, at last a different name attracts much more attention. 

- Why did you leave INCIBE?

- In INCIBE I lived an amazing time both in a professional and personal level, and I’ll always be grateful to the direction for the confidence who had in me, giving me a relevant mission like representing the organization, as well as the colleagues who made me feel at home. But I’m the kind of person who always look for new challenges and runs from the immobility. One of my faculty teachers, a great friend of mine, says that I’m a “restless person”.

- To achieve this position you have to beat 600 people??!

- If I remember well, 600 people were registered in the platform to make the online hacking tests, 160 completed it, 60-70 were interviewed and 20 were selected, finally entering 19.


- INCIBE taught you this serious and qualified look guy or you already had it before?

- Since before I guess. However, who knows me a little bit assume that I could seem serious at work, but I love joking. When I built confidence with someone, I don’t stop joking.

- How did you discover that you like the IT security?

- I always loved scraping with computers. When I had my first AMIGA 500, besides playing with it I dedicated to program in BASIC thanks to a book bought by my father of BASIC for childrens. After that, with my first 286, I made scripts in BAT with MS-DOS, and when the modem/fax appeared, I liked to connect to the BBS to download programs and exchange knowledge. Since I was a child I liked the hacking and his mystic halo associated to the referents of those times, like Kevin Mitnick. I made my teenager works and then I focused on the University.

- Wow! But, how old are you?

- 35. I always knew that I wanted to learn and became a hacker, but I never had the hope of dedicating to it professionally. In Tenerife there’s a lot of work in the TIC sector, but not in security. I worked in the TIC sector in development, in banking, in geographic engineering and GIS, and finally I finished working in my real passion.


- You’re the author of the “Whatsapp Discover” tool, which extracts phone numbers from Whatsapp users though network traffic.

- I discovered it at the end of 2013 and I published it at the middle of 2014. Despite of the Whatsapp conversations we have with our contacts are encrypted, our smartphones send to the Whatsapp servers data packets with our phone number before establishing the communication. This is why the users who use public Wifi networks like airports, hotels or mails have the risk of showing their phone number. Whatsapp Discover extracts these phone numbers in these kind of networks.

- Personally I loved your investigation called “Mi daughter of 2 years old helped me to hack the Pocoyó app” :)

- Well, it wasn’t such a big deal, but it was funny because while I was monitoring the home network traffic to work in WhatsApp Discover, Lara was sit by my side focused seeing Pocoyó in her iPad. So isn’t a coincidence that her traffic interfered in my web catch, and from there, the rest is the same: curiosity and set at the details. It's clear that without her help I wouldn’t made it :)


- Do you have any beautiful quote you’ve converted in a password?

“If you can dream it, yo can do it…”

(Unfortunately isn’t mine but I love it) ;)

If you want one of mine, here we go, although I don’t know if it’s beautiful: “The envy is a natural emotion. Don’t fight against it, transform it in your motivation”.

-It’s very accurate. :)


Text: Mercè Molist