Saturday, February 28, 2015

Only the paranoid survive

Andrew Grove's life is closely linked to Intel Corporation, which he led to the top. Grove was its third employee, its president in 1979 and CEO in 1987, a position that added Board Chairman in 1997. Grove has written several scientific books, but one dedicated to entrepreneurs stands out: "Only the Paranoid Survive. How to Exploit the Crisis Points That Challenge Every Company". As he has well learned from technological world, keeping an active degree of paranoia is always a positive value.
Paranoia, by Katiew
Today's news remind us that paranoia, especially in information security, often gives us the reason. For example, they could call us paranoid if we made public our suspicions about Facebook employees entering in our accounts, without asking permission or notifying us. So well, Paavo Siljamäki, a record company's director, explains how in a visit at Facebook facilities an employee asked him if he could access his account for a demonstration, he accepted and, without asking his password, the employee entered.

Friday, February 27, 2015

From the breach to the origin of the problem. How to prevent it?

The correct cycle in security is prevention -> Protection -> breach. But as you know, the bad guys usually attack our weakest points. Therefore, we will review the whole proccess, from protection to the security gap, and from there to future prevention measures. Let's begin!

There is malware that can spy on you, even when your device is off. Actually this little worm recently discovered by the folks at AVG hijacks the shutdown process. It leads users to believe that their devices are disconnected, but it only closes unnecessary processes while maintains connectivity and other basic functions in order to communicate with its control center.

Thursday, February 26, 2015

From the basics to advance digital security

"Let's begin the lesson 1." Sometimes we forget to start from the beginning and jump straight to the point. We also do that in computer security. But what is computer security? What are the threats we should protect ourselves against? Today we will try to begin from the basics and move ahead to the increasing complexity of the security sector.

What is a 0-day? It is a term usually used to name those vulnerabilities that allow an attacker to obtain some kind of advantage. Actually they are called 0-days because they are detected for the first time, so the manufacturer, the developers or the community have not yet released a patch to address it.

Wednesday, February 25, 2015

Old rockers of cybercrime never die

“Los viejos rockeros nunca mueren” ("Old rockers never die") was the eighth album by Miguel Rios, a Spanish singer and composer considered one of the pioneers of this music genre in Spain. Actually the mentioned album meant a second golden age for this singer, as it seems to be happening for malware and cybercrime nowadays.

The latest Cyber ​​Risk Report 2015 released by HP Security Research a few days ago reveals what Miguel Rios said in the late 70s, the old rockers (of malware, in this case) never die. 44% of top 10 security breaches last year happened due to old vulnerabilities known since long time ago. in fact, one in ten had took advantage of pieces of code written some decades ago...

Tuesday, February 24, 2015

Low-cost hackers vs. professional hacking

5:45 am. You wake up a bit disoriented. The buzz of your alarm does not stop. You take your phone and approach the screen to your face. You are not wearing glasses on and the blinding light of the device forcesd you to put different and grotesque faces. Slowly you begin to distinguish some shapes: it is the Calendar spp, it is labeled with a red square, so... You get up to your feet, and in just five minutes you are at the controls of your computer. The company's services are experiencing a denial of service attack.

How to deal with such a situation? The duty team is already aware of the situation, monitoring requests, looking for patterns and IP ranges to route and block traffic. You soon receive a call from your supervisor.

Monday, February 23, 2015

Using the same key for all devices / clients / services

Sufis told the story of a locksmith who, in a prison for crimes he did not commit, finds a way to escape thanks to a well-thought plan. The trigger was the carpet that his wife managed to give him so he could perform his daily prayers. But the finely woven carpet had a big key in the center, along with all the steps to be followed embroidered around it.

The thesis of the story is that anyone can use what he has around him to get a key. A unique key which can open any obstacle that comes his way. In fact, one of the biggest obstacles today is known as Superfish, the bloat/ad/malware that came with Lenovo devices and was used by others as a key for their misdeeds.

Sunday, February 22, 2015

Top 5 Infosec links of the week (LXIV)

It's a long time we ride in this new technologies' revolution and it shows no signs of stopping. By contrast, areas such computer security are accelerating more and more. That gives more value to manuals, guides and anything that might help us keep alive, surfing in those more and more high waves, so different from what used to be our life, politics and economy in the past.

Luckily, we have good advisors between us and our readers know how to detect them. This explains why most read articles this week (and many others) in this yours information service are texts that give answers, as for the new Center for Industrial Cybersecurity document "Best Practices for Diagnosis of Cyber ​​Security in Industrial Environments 2014". Despite it costs 250 euros, has focused a lot of our visitors' attention.

Saturday, February 21, 2015

What a mess with Lenovo's SuperFish!

"Sorry". "We're so sorry". "We were wrong". Computer maker Lenovo is immersed in one of its darkest episodes, after it was discovered that their laptops have an "adware" by default which, besides filling their new customers' screens with unwanted advertising, makes them vulnerable to attacks. The company cries on social networks, trying to seem simple humans that have made a mistake. But people don't attend crying when it's about their security.
Tom's fish (CC BY 2.0)
"You cannot manage it just sending a tweet. We want to see real consequences. There must be some executives who have been responsible for this and should resign", was one of the hard answers that received Lenovo's contrition on Twitter. The company has quickly issued a tool to remove the "adware", incidentally named Superfish. Lenovo CTO made things worst when he qualified experts' accusations as "only theoretical". Those accusations said that Superfish opens security holes on computers, and now Errata Security has proved it.

Friday, February 20, 2015

I just wanna live while I'm alive

Bon Jovi’s single "It's my life" was released on May 23, 2000. Its chorus said "I just wanna live while I’m alive", which was an allegory of the story of the single itself. It was an example of how put rock back at top lists in many countries so young people could enjoy it.

"It's my life" was the voice of a society that demanded a change, adaptation to the new technological environment more connected than ever. Cybersecurity, Internet and computer security began to be valuable. Now Ponemon analyzed this fields in detail. The average cost of cybercrime increased by 96% in 2014 compared to its first study, conducted just five years ago. The world is changing. It's time to live.

Thursday, February 19, 2015

Privacy as currency of the digital world

At some extent, everyone wants to defend his privacy. We all understand privacy as a right, and therefore, do not hesitate to fight for it when we feel that it is being violated.

However, we jump to our Facebook profile and carelessly upload photos of us and other people. We chat shamelessly on Twitter letting the rest of humanity to know our geolocation, and we open our email account on any computer, whether it is a personal or a public one. The way we protect our privacy is quite poor indeed.

The Spanish agency for data protection AEDP recently published the results of a cookie analysis carried out on the 500 Europe's most visited websites. Data is overwhelming: only 16% of sites properly inform users of the use they do of cookies and offer them basic control over these files. 26% do not even inform of their use, and 70% are from third-party services, which more than half of them are controlled by 25 major advertising companies and social networks.

Wednesday, February 18, 2015

Everything seems quiet, but cyber war goes on

"Many organizations are not addressing key issues in the IT security landscape today. The technology to be protected against them does exist. For example, there are solutions to avoid leaks of information from one place to another or to securize 100% of our files, but the reality is that only 1% of corporations worldwide is fully protected." Mario Garcia, CEO of Check Point for Spain and Portugal, said that in the context of current challenges for corporate security at the Cybersecurity Forum 2015.

In such debate, they were pointed out several critical issues of business-focused security and the lack of security awareness in senior leadership. Traditional defenses do not longer work, according to FireEye’s latest study on the state of the art in cybersecurity. They have changed both objectives and attack methods, so the company needs to stay updated.

Tuesday, February 17, 2015

You are still exposed to technologies and fraud from the last century

In 1997, in a dimly lit room, the future of spyware began to be forged. Equation was an APT quite similar to Flame and Stuxnet that found a perfect distribution pathway in the brand new CD-ROM technology.

Silent as the best of the spies, such malware was able to install the firmware of several hard drives. It was in 2001, but we have not had any evidence of its existence until today.

Monday, February 16, 2015

Crime, security and law drink from the digital fountain

The digital world has changed our reality forever. More and more elements are becaming managed digitally. In fact, it has some advantages such as accessibility, immediacy and greater control (monitoring). But it also brings some risks.

According to Kaspersky, at least 100 banks (mostly Russian, Ukrainian and Chinese) have been the target of the greatest cyber theft in history, which has been valued at around one billion dollars. Cyber crooks used several techniques ranging from social engineering against "low-level" employees of vendor companies and associated financial institutions to infecting computers and devices connected to the banks with malware.

Sunday, February 15, 2015

Top 5 infosec links of the week (LXIII)

We may find in the huge source of quotes from Internet what Isaac Newton said once: "Unity is variety, and variety in unity is the supreme law of Universe". If this is true, then this blog is close near to become one of those supreme laws. Since last Monday, you the readers have determined that variety as the main story of the stories leading to this top 5 of the week.

Variety number 1: cyber war. The week started hard, really hard. If we could take a cocktail shaker and shake two things like Anonymous and Islamic State, then we should run out of there, because it should be an explosive cocktail. Hacktivist group broke ISIS computer defenses and made its Social Media accounts... well, 'looking like hell'. Those who commit attacks, sometimes they suffer them.

Saturday, February 14, 2015

50 shades of... (in)security

This week has been released all along the world one of the most viral movies last times: '50 shades of Grey'. It's kinda review of classics like 'Cinderella' or 'Pretty Woman', with some explicit sexual content. For film critics, you will find a predictable screenplay, but it's a "yes or yes" decission for millions of moviegoers. So it's... just like computer infection, isn't it?

After all, the vast majority of vulnerabilities or issues on devices are predictable. And they will be much more predictable from now on, if US companies are beginning to share information on risks and security, just as it's settled in the Executive Order that president Obama signed just yesterday. It's been a long-time announced Executive Order, as if it was a film premier and now the courtain has raised.

Friday, February 13, 2015

What does Internet have that everybody fall in love with it?

Tomorrow is Valentine's Day. Every year, February 14th is highlighted on the calendar of most couples. And cybercriminals are aware of it, so they look for a way to take advantage of usual haste and carelessness of lovers.

Whether we have a partner or not, we always have a few candidates. Therefore a group of cybercriminals somewhere will be wrapping any of the 7 gifts they talk about at ESET. Chocolate boxes with worms, spam love letters, "trojanized" cuddle toys, infected bouquets flowers, geolocation jewelry, downloadable files with gift and fake discount vouchers. There is something for everyone.

Thursday, February 12, 2015

Internet outlaws: Fraud, Security and Anonymity

Wanted, dead or alive! They are three dangerous subjects. They are used to chew smuggled personal data behind the shelter of hidden networks. They are stealthy and good at the keyboard. And they are not afraid of anything. Fraud, Security and Anonymity are the band that strikes terror into the digital world.

Fraud is everything a ruthless villain would be. It is the leader of the underworld, who does not hesitate to hit big fishes. It sometimes does it in an old-fashioned way, by infecting client’s computers and activating an alert when such user accesses his banking portal. Then it is showed an alleged erroneous transfer message that the user should return. And it works indeed.

Wednesday, February 11, 2015

The Safer Internet Day was like this

The XII edition of the Safer Internet Day (SID) was celebrated yesterday. Both companies and media take this date to raise public awareness of the importance of cyber protection and the need of appropriate security measures to make this environment a safer place. HEre we will pick up some of the topics from yesterday.

The guys at ESET Latinoamérica warn of the dangers of our universe of connected devices. In five years, almost any kind of technology around us will be connected and sharing information, which requires security measures and standardization in order to safeguard the integrity of such data3.

Tuesday, February 10, 2015

Security professionals are like superheroes

Upon any threat or scenario, security professionals work to fight bad guys wherever they are and whatever resources they have. They are the unsung heroes of the Internet, the superheroes of our reality.

There are great superheroes in the history of comic. Some of them had magical powers, others divine ones. Tony Stark (Iron Man), Bruce Wayne (Batman) or Hank Pym (first Ant-man) acquired their superhero status thanks to their scientific achievements. They "hacked" the system with his intellect, protruding from the rest of the crowd, and fighting many battles for citizens’ freedom.

Nowadays the attack to JPMorgan bank a few months ago, in which sensitive data of 76 million homes and 7 million businesses were stolen, is still making headlines. This time it does due to its consequences for citizens’ security. The SEC (Securities and Exchange Commission) is auditing other US banks, which is a trend being followed by other countries, such as UK. This is beginning to be named as the international crusade against banking crime.

Monday, February 9, 2015

A digital world full of ghost armies

In the Second World War, the 23rd Headquarters Special Troops based in Tennessee was formed mainly by artists, architects, actors, designers and engineers. The mission of those men was to let imagination fly in order to find out strategies that made the Nazi army lose soldiers and resources without any real danger for the Americans.

It was known as the Ghost Army some years later. It participated in several major battles and it is estimated that it saved between fifteen and thirty thousand lives on the Allied side although it opened fire on the Germans just once.

Sunday, February 8, 2015

Top 5 Infosec links of the week (LXII)

"The problem with the Internet is that we have no way of knowing if someone is watching us, unless he or them make it public", says Manuel Medina, Spanish computer security guru, in an interview that's been the most interesting news this week for our readers. Moreover, Medina says: it's not applicable to hide heads in the sand and say we do not care who observe us because "if someone violates your privacy, so he's doing with those people who have trusted us".

Indeed, in cyberspace is all closely connected and is here more than in any other place where it's easy to realize that "the flight of a butterfly can cause a tsunami across the world." Our privacy, says Medina, supports and builds on the privacy of others. By the way, one of the most aggressive companies against their customers privacy, Verizon, has announced that tracking "cookies" installed on their mobile devices would be deleted at will.

Saturday, February 7, 2015

Playing with your data

No one will dispute that the cost of living is very high, also for cybercriminals: in 2007, one stolen email account would be paid on the black market at an average of 10 euros, today you'd be lucky if someone pays you the same amount for 1,000 email accounts. And one credit card, with its credentials, costs no more than 15 euros. It's difficult to have a decent wage with these prices going down, so we see more and more data thefts of more and more sensitive information.

The last incident has been the theft of a lot of information about financial, health, place of residence, etc, from 80 millions of Americans, customers and former customers at the second insurer in the country, Anthem. Right now they're investigating how thieves carried out the robbery of those databases that, oh surprise, were not encrypted.

Friday, February 6, 2015

Do you need to be a criminal to become rich on the Internet?

In 1976, a television miniseries called "Rich Man, Poor Man" reaped great success worldwide. Loaded with all ingredients of drama and soap opera, the plot of this miniseries recalls the current state of computer security: Two brothers, a smart and ambitious one, who is only focused on making money, and another more humane and good, but poor and quarrelsome.

Ross Ulbricht, who created the Silk Road site in the dark web, would certainly be the richest man in our film, but now there are no good news for him. His trial, which has been closely followed by the security community, finished yesterday. Ulbricht was unanimously declared guilty of drug trafficking through the Internet, conspiracy and violation of computer security. Now he awaits his sentence on 15 May that can send him over 20 years to prison.

Thursday, February 5, 2015

Security on the Internet: Some tips

 The network is a vast unexplored territory. Both users and cybercriminals bring together there. As we saw yesterday, the bad boys threaten your digital identity which increasingly affects you also in the real world.

In 2015 we are witnessing massive attacks on networks and servers of large gaming platforms and vulnerabilities arising for the most popular operating systems. All this translates into the user constantly upgrading his services and OS to patch security holes. He also has to be aware of sophisticated ransomware being spreading all over the network by phishing, social engineering campaigns and Internet malicious ads.

Wednesday, February 4, 2015

From virtual to real environment: digital crime may pay dearly for its misdeeds

It began as a game, but it became real nowadays. Digital crime may pay dearly for its misdeeds today. Events in the virtual environment have more and more consequences in the physical one. Are you prepared to that?

Rapid7 has alerted of that around 5,800 US gas tanks are vulnerable to attacks since their configuration panels are accessible from the Internet WITHOUT ANY PASSWORD.

Tuesday, February 3, 2015

Users and companies: Two ways to understand cybersecurity

Several elements are doomed to live in harmony in cyberspace. One of them is the companies offering their products and services to users. Both businesses and users seek share the same space, trying yo strengthen their positions, in an eternal dispute over the complex digital balance.

User is most concerned about privacy while companies are about security. You sometimes have to give up a bit on one side to gain on the other, and just the opposite. Thus, it seems interesting to spend some minutes reading about these two topics, right? Let's begin.

Monday, February 2, 2015

Cybersecurity design: protection, user Experience and cyber weapons

Design as science is a couple of centuries old. Until then, design was called crafts. Then its aesthetic interest was not necessarily related to its functionality. Industrialization of design led us to environment where feelings and experiences of buyers were part of the product value. Actually this affects all economic sectors, being cybersecurity one of the last to take the plunge.

But security must be understood by the end user as information catalyst. Following the news on  some companies using a web tracking system based on a "Zombie Cookie" (a cookie that can not be erased from the system) Verizon is considering to offer its customers the ability to remove it with no adverse effects on their business.

Sunday, February 1, 2015

Top 5 infosec links of the week (LXII)

"If words of command are not clear and distinct, if orders are not thoroughly understood, the general is to blame. But if his orders ARE clear, and the soldiers nevertheless disobey, then it is the fault of their officers". 'Craining training' passage from Sun-Tzu's 'The Art of War' ends with a tragic outcome: the leading companies are beheaded. To set example. For anyone or anything dudes on the power of the general from then on. Its orders must not become a scoff.

Likewise, hacking a twitter account (better to say "usurp"), may not be the most important industry news. Surely the labored work of thousands of researchers looking up to conjure risks, patch systems and neutralize cyberattacks is more important. Yes, but when the Twitter account is the global fourth most followed and responds to the identity of Taylor Swift, to hack it is an "exemplary" action; not an "exemplary" behavior, of course, but as a sign of how much are we exposed to digital risks day by day. And that's why it has been one of the most visited news of this week, at least here within CIGTR's community.