Tuesday, March 31, 2015

US government agents, caught doing dirty business in Tor

It is the story of the day: two officers; one from the DEA and one from the secret services; have been arrested in the United States for making profit as spies during the investigation against Silk Road, which was the most famous black market in the Tor network. Bizarre story where they exist, that we know the same day they publish that cybercrime already exceeds drug trafficking profits. 

According to the indictment of agents Carl Force, from DEA, and Shaun Bridges, from Secret Service, both played as double agents during the investigation that led to the closure of Silk Road, by selling information to the site administrators about the steps followed by the Police. Besides, they helped planning the murder of one of the contributors to the site, which ultimately was not carried out. Actually, the story is worth a film.

Monday, March 30, 2015

31 World leaders passports uncovered

In the era of machines, nobody seems to be safe from your data escaping all barriers and run free across the networks. We say it almost as a joke, but is an extremely serious problem, for which they are not yet any definitive solutions. Today we learned that not even the main leaders of our planets are spared from this plague. Yes, we're talking about Barack Obama, Angela Merkel and Tony Abbott.

It happened in November last year, at a G20 meeting in Australia: someone in the organization sent a list with personal data of the invited leaders, including passport numbers, to a football committee chief. But he had such bad luck that the Microsoft Outlook "autocomplete" function sent it to another person, who was alerted and immediately erased it. Nobody counted on the "backup" diary, which kept the data in the system.

Sunday, March 29, 2015

Top 5 infosec links of the week (LXVIII)

Fool me once, shame on you; fool me twice, shame on me. We have almost assumed that we will be victims of any incident anytime, but at least it lasts the pundonor of not so indecorous scam, attack or hack. There are times that exposing a security breach is not only a risk exposure, but it seems to fool as. That is how the hottest news of the week they have come. 

It is the case on Australian electoral authorities, who paled when at the beginning of the week we learned that their online voting systems are vulnerable to attack vectors, including the newly discovered FREAK. A vulnerability that makes you look like the class nerd, if only one ballot becomes manipulated

Saturday, March 28, 2015

Cyber romanticism and business

On this day, 170 years ago, the summit work as it is considered of Spanish Romanticism was premiered: Don Juan Tenorio by José Zorrilla, a drama literature embodying the myth of Don Juan. Trickster, misdeeds maker, arrogant, contemptuous and virgins seducer. A fledged 'hacker' of the public behavior, always looking beyond the limits. But as we will see at the end of this post, he could even be on our side.

It's been a long time since cybercriminals are not the romantic figure of Don Juan. In their efforts to infiltrate systems we don't even find the behavior of a swashbuckler, counting how many devices they have infected. The slogan that moves them is show me the money and they do not hesitate to take advantage of the 'maidens' who have been attracted by the most seductive face of Internet: gaming platforms, tools for early adopters, or collaborative spaces for code development. The digital balaclava thieves are primarily marketing experts: they go where the user is, because that is where the business is.

Friday, March 27, 2015

Beware of your hotel wifi this holidays

We're starting to get used to hearing stories to keep you awake, concerning public wifi connections and especially, hotels wifi services. A few years ago, it was discovered a criminal operation called Dark Hotel, that assaulted computers from executives traveling on business when they connected their devices to the hotel wifi service.  Since then, we have seen with new eyes the very relative intimacy that can give us these connections.

If you, dear reader, are planning to stay in a hotel these Easter holidays, you should know that it's been recently discovered a major security flaw in the "routers" of many hotel chains, that could allow an attacker to deliver viruses to those who connect via wifi, steal data or spy on what they sent through the network, and even know his name and where are they hosted.

Thursday, March 26, 2015

False certificates are an increasingly serious threat

100% of organizations in the UK have suffered some kind of attack with fake certificates in the past two years. The the impersonation of Certification Authorities and forgery of certificates is something increasingly common. We'll discuss it below, along with other interesting news: insecurity at gas stations, "Sextortion" with mobile phones and a curious story about scams using Wikipedia. 

According to a study by the recognized Ponemon Institute, in United Kingdom, Australia, France, Germany and the US, the attacks against keys and certificates used in web servers, network and cloud services have grown 40% in the last two years. Russian criminals recently stolen digital certificates from one of the world's top five banks, enabling them to steal data from 80 million customers. However, 63% of organizations say they know little about where their certificates are, and what are they used.

Wednesday, March 25, 2015

Take care with your mobile phone, it's the devil's work

Most of us are not aware of it, but mobile phones are easily attacked insecure devices we use, and always with us, perfect apparatus, for example, a spy operation. News about vulnerabilities, new attacks and fraudulent applications are constant in this field, both iPhone and Android, although the latter, as we say colloquially, "take the cake".

Palo Alto Netwoks has discovered a fault, present in 49.5% of Android systems, which could allow an attacker to hijack the installation of new applications and "sneak" a virus in. It is clear that, in principle, and for now, this only works in third party applications not downloaded from Google Play, and are safe versions of Android 4.4 and later. Which brings us to recommend for the umpteenth time that "apps" should be downloaded from Google Play and the phones should stay updated.

Tuesday, March 24, 2015

So now we are all modern, and still, they trick us like it's nothing

Which is the most dangerous tool in computer security? Maybe some new exploit to attack the BIOS? Perhaps the nth vulnerability in Adobe? Well, no. After 20 years wreaking havoc, social engineering is still the number one threat to computer systems. And people are still the biggest failure. We're usually fooled by our ambition to win prizes, or our natural tendency to help others. This is, by far, the "bug" number one.

Kevin Mitnick, the king of social engineering, reminded it to us in CeBIT 2015. Mitnick forged his legend without practically touching computers, his "hacking" was developed through social engineering, deceiving others. During his talk at the world's largest computer fair, Mitnick showed some tricks that still work, like digging through the trash to find confidential business information, or a virus disguised to look like a legitimate program update.

Monday, March 23, 2015

Databases' thefts are more and more serious

Should a company which someone have stolen sensitive data from their customers; indemnify them? And, if those data were bank accounts which have been raided, should the banks be compensated? This is the Target Corporation case, a company which was robbed on December and the thieves got the numbers of credit and debt cards from 40 millions of users, opening a legal debate on the Uniteds States which will set examples throughout the world. We´ll talk about this and about other catastrophic robberies.

At the end of last week, Target reached an agreement with citizens who have sued them after filtration of data. Each harmed user will be compensated with $ 10,000. This does not prevent the corporation from meet the demands of various banks that want the company to assume the cost of theft accounts exposed, due to the leak. Banks accuse Target of storing  credit card numbers on their servers, when the law required it to destroy them once the payment is made.

Sunday, March 22, 2015

Top 5 Infosec links of the week (LXVII)

We complain about its insecurity, about selling our privacy, but, ah!, few internauts have managed to resist its influence and not to have a Facebook account. We are attracted much as it repels us and there is, as might be expected: our most read news this week, in this yours news feed, it's about Facebook. Behind it we have informations with more "charm" as Internet of Things, cyberwar and more.

The news was worth: Facebook has activated a new service that allows payments among users, provided a card number on their profile and password to make payments. If it works, it could mean a major change for the social network, with the emergence of new services such as auctions, sales, donations...

Saturday, March 21, 2015

How exposed are we in the digital world?

The deception techniques that work in the physical world also work in the digital world. And working even better because the users tend to understand the digital world as oblivious to reality. Some examples where actions in this world impact on a day to day many people.

Oh, those emails ... You wake up one morning and in the inbox you have a bank alert. Apparently, tonight have attempted a charge (or hundreds) by a far superior to what you usually do value, so have decided to temporarily block the account waiting for you to get directly in touch with them. They send you a Microsoft Word document explaining to the whole operation. But only you just have to open that document to be infected, and that your account is compromised.

Friday, March 20, 2015

Caught by a "selfie"

It is not the first time and it won't be the last one, that an offender exhibit himself on social networks and get, besides lots of followers, allowing the law enforcement forces to locate and arrest him.  Today we begin our news summary with the bizarre story of Lance Early, age 28, born in Ohio. A light information as an appetizer before hitting thicker news: China and cyberwar, the absolute fragility of mobile applications and the latest malware: attacking the BIOS. 

Lance Early had such a sense of impunity in the social networks that his Twitter account was curd of photos of ... bills! He earned it possibly selling personal data and filing false tax returns. Accused of 46 fraud offenses, escaped during his trial and instead of hiding, posted some "selfies" on his Twitter account which allowed the Police to locate and arrest him again.  

Thursday, March 19, 2015

Facebook adds a controversial feature: payments between users

Today's a great day for more than a billion people registered on Facebook. The social network has added a novelty to Messenger that allows users to send money to each other. They'll only need to add a credit card number to their account and protect payments with a password or dual factor authentication. But what is great for users is seen as a serious threat to some security experts.

There has always been a double standard on the Internet: the user and those who know how machines work. While users just see graphic design, marketing and social joy of having thousands of friends, experts see Facebook's little security with photos, accounts and generally privacy of those who use the service. We cross our fingers and hope that this time would be different.

Wednesday, March 18, 2015

Bad people are increasingly bad... and good people too?

We woke up this morning with some stories to keep you awake at nights, that make us suspect if those whom should protect us on the Internet are truly willing to it. Rather, it seems that some of them doesn't have their own house in order, while crime keeps unpunished, especially in their ghettos. That's what our first story is about, a ghetto called Dark Web where for the umpteenth time, a thief has stolen something to other thieves and now we should expected him to have one hundred years of forgiveness. 
@HackingMom anime detail, Dibu2pia copyright
The thief is known by two alias: Kimble and Verto, both administrators of the bazaar in the dark web Evolution Market, where criminals were selling all kinds of contraband material, from drugs to stolen passwords. In the last 24 hours, Kimble and Verto have closed the market and disappeared with the money they owed to the merchants, which could exceed $12 million in bitcoins. Nobody has any hope of recovering it, at least not following the usual channels to report it to the police.

Tuesday, March 17, 2015

An Internet of Things is coming with zero security, and Barbie knows it

It’s the new hype of the moment: The Internet of the Things. And with it, the repeated advices about their lack of security. That’s the dream: electronic refrigerators that tells you when you are running out of milk. Toasters and coffee makers that turns themselves on, while we have a shower on the morning, or house heating or lighting that can be controlled at the distance. The dream becomes a nightmare for fridges, toasters and houses which now can be easily assaulted by viruses and criminals. In case we have not noticed, a perfect example has come to light these days: The new Barbie doll. 

Its name is “Hello Barbie”, and has the ability to chat in an intelligent way with the kids. Here’s how: The device records their conversations through voice recognition technology, then it sends it via wifi to third companies which will process every recording, then the doll would give a customized response. Goodbye, old fashioned prerecorded “Mom, dad, I love you”! The problem, say privacy advocates, is that it does not sound very well that the dolls spy on your kids.

Monday, March 16, 2015

Mariners upon the sea! A new course awaits us: The blue team one

On the  HMS Belfast warship deck, the alarms bell. Several soldiers arrest one of the passengers just before he takes out the weapon he´s hiding under his live vest. But the damage is already done. The on board computer equipment has  been hacked, and the mission of the 42 experts on board is to be part of the blue team in charge of avoiding the malware shooting the warship artillery over the  United Kingdom capital city. 

This is how one of the annual London cybersecurity hackathons starts. 42 students will act as a cybersecurity blue team in charge of the protection of the battleship (a real ship, now used as a tourist destination) and to avoid the final count reaching the zero. What´s at stake is a juicy economic spoil and the search of new talented hackers.

Sunday, March 15, 2015

Top 5 Infosec links of the week (LXVI)

This week has given us juicy news, as cherry trees awakening from the winter lethargy and greeting spring with its explosion of flowers. Juicy and curious news that are reflected in our most read selection: Linux viruses, identity theft, United States government to seek and capture hackers ... Come on.

Our most read news this week is curiously associated with a minority operating system among users: GNU/Linux. National Institute for Cyber ​​Security alerts on malicious code in this free system, given the exponential growth of Linux on the Internet of Things and networked computers.

Saturday, March 14, 2015

United States Congress seeks compromise on data breach notice bill

US Congress is working on legislation about data breach notification. It was time!, when we are sadly accustomed to daily news about thefts of tens of millions of people's personal information. We are happy because when US plays trick on something, the rest of the world moves too. On this Saturday we also talk about a virus that attacks gamers, phishing with Amazon gift cards and a security hole in Google Apps for Work.

Marsha Blackburn, bill's co-sponsor
Data Breach Notice Bill's still a draft but is already taking much interest in US Congress. It faces two lobbies: industry and privacy advocates. The law has some hot spots like deciding whether an email address and a password to access an account can be considered information that allows a person's identification; or in which cases a company that has suffered an attack must notify its users, in how many time (30 days) or the amount of fines (up to $ 2.5 million).

Friday, March 13, 2015

The neverending rhapsody in the world of security

Bohemian Rhapsody is perhaps one of the most known songs in the history of rock. Written by Freddie Mercury for 1975's 'A Night at the Opera', it represents even today a true challenge, both on its structure (six different styles through five minutes), and in its meaning, possibly an autobiography of the feelings and unsteadiness of this mythical singer.

Unsteadiness or... well, insecurities. As we found insecurities in product distribution chains, especially in lax security policies from most commercial centers. There aren't more security breaches in US, they say at Verizon, but alert systems are more sophisticated here. So breaches are under-reported globally. This affects both banks and final customers, and it jeopardizes world economy.

Thursday, March 12, 2015

There is no 100% secure and foolproof system

It is the eternal fight: how to find the balance between security and business. Shall we secure what is in production? Shall we produce new features, even when it carries new security and privacy issues, both new and old systems? Even time is money. Fortunately, both worlds seem to be joining.

At the beginning of the week some banks decided to block by default Apple Pay payments. Today we know something new: more than a potential security breach at Cupertino, it was the picaresque of crime industry, taking advantage of ease and accessibility from Apple Pay when digitizing cards for using this payment gateway with stolen bank accounts.

Wednesday, March 11, 2015

Disjoining digital and real world: a huge mistake

Monday, 09.00 AM. As every morning, you leave home and go to work, but before reaching your car, an elegant man stops you and gives you 200 euros, in exchange for you to deposit a wad of money in a bank account Corner. Would you?

Most people would not do, due to the simple fact that it looks like it's going to be a scam, or at least you'll get in trouble. But instead, if we transfer the same case to the digital world, things change. Why?

Tuesday, March 10, 2015

'Hackority' Report

"Mr. Marks, by mandate of the District of Columbia Precrime Division, I'm placing you under arrest for the future murder of Sarah Marks and Donald Dubin that was to take place today". It sounds like science fiction future, right? The question is ... how long? Today the field of cybersecurity sounds more than ever like 'Minority Report', the film starring Tom Cruise and directed by Steven Spielberg.

A post in the specialized section The Security Download of the Wall Street Journal says it verbatim: "Artificial intelligence and machine learning are playing a larger role in cybersecurity, which can in theory help companies identify risks and anticipate problems before they occur". They are new techniques (rather than technologies) that come to stay, allowing faster identification of vulnerabilities, increasing detection rates and discovering yet unknown attack vectors, says the CIO of the University of Victoria in British Columbia, Paul Stokes.

Monday, March 9, 2015

What is fraud, what is scam, and what are they used for?

Fraud, scam and phishing. Three terms usually going hand-in-hand, and IT-based for misdeeds. Each one cannot live without the others, and users and companies suffer the consquencies. Well, but... What are the differences between them? And, above all, what is their role in cybercrime world?

Let's begin talking on Fraud, the most generic of them. Fraud is nothing more than the antithesis of truth, the opposite of what getting right things done should be. There are a lot of fraud styles, just think about recently revealed fraud affecting some Apple Pay users. In fact, several banks have chosen to block this service by default, pending the client identifies himself, to get it activated.

Sunday, March 8, 2015

#RootedCON, Day 3: wanting more and more

All good things must come to an end, and RootedCON is one of these cases. We arrive to the last date of this masterly security event, giving the most out of itself one year more. It's been a triumphal ending for this edition, with some of the most expected talks. Did you miss them? Don't worry. CIGTR tells you. Let's go!

Third and last date for this Rooted started with @tarlogic Miguel Tarasco's talk, who appealed for developers community: not every single attack targets final user, and in fact it will be neither first nor last time that some Internet-extracted code has embedded "presents", allowing third parties to install a shell in a developing device with used IDE permissions.

Saturday, March 7, 2015

#RootedCON Day 2: PoC earthquake

Sometimes you know, before getting up, it's going to be a hard day's life. So, you will end up this day with notebook full of notes, and the head spinning again and again on topics that you'd probably were not thinking about, just some hours before. And yes, yesterday Friday was one of those days.

Second day at the RootedCON, one of the most important events in the field of computer security, held as every year in Madrid (Spain). Yesterday we posted the chronicle for day 1 (http://kcy.me/1qsci), and there we go again. What was about this 2nd round?

Alfonso Muñoz, from Eleven Paths, kicked off talking about what he is specialized: for this occasion, on estegomalware in mobile applications. Or what is the same: different ways to obfuscate executable code in applications from Android Play Store. Both in the store, using PNG images with obfuscated code, and calls to external resources that the application makes for smooth operation; and also, of course, in the resources of the application. It is a very sophisticated attack vector and today almost undetectable, because there is no systems focused on this type of scrutiny.

Friday, March 6, 2015

#RootedCON Day 1: The show begins!

RootedCON began yesterday in Madrid. This is one of the biggest events of information security in Europe. It is good excuse to gather different professionals and passionate about this industry under the same roof. The event takes place throughout three days on which several 0-days will be revealed.

Early in the morning Hotel Auditorium is already a beehive. Thousands of attendees, knowing looks and pats on the back. Who has ever gone to a Rooted before, repeat. The atmosphere is relaxed. Most of the people in T-shirt, no ties. Hackers, security consultants, military and law enforcement, lawyers, journalists, activists and even some attorneys. All of them share the same enthusiasm. In fact, people go there for the networking, but above all to enjoy with the "family".

Thursday, March 5, 2015

Blue and black or... white and gold cybersecurity

"What colors actually are they? White and gold or blue and black?.” Very few images like the one of this dress that changes its colors depending on who you see it have been so viral. It has generated a lot of discussions of all types, in cafes, offices, schools, holding the smartphone and showing the photo to everyone.

Then, cybercrime is coming or going? Does it grow or decrease? Does it have boundaries or not? As it happened with the photo of the dress, it depends on who you are asking. And, to be precise, it depends on the sensitivity that someone has regarding the side of cybercrime that he is looking at. If you take into consideration reports like this one by Silicon News, you may find a rather negative picture. There are reports from all types of market players that leave it clear that we are going from bad to worse. And with this warning header: "Cybercrime has become an unpleasant consequence of the connected society in which we live."

Wednesday, March 4, 2015

Computer security freaks

The meaning of the word ‘freak’ has changed over time. ‘Freak’ means something strange or unusual. This is why it has been associated to the world of circus for centuries. Freak Shows arose in England in the seventeenth century. It used to have place on the street to entertain people in the largest squares showing individuals with grotesque unique qualities.

After several centuries, the whole alternative culture lead by artists such as David Bowie or Roxy Music was considered ‘freak’ in contrast with more traditional rock. But this word has a new meaning, it is how a new vulnerability in the encryption protocol used in secure communications by Safari and Android's default browser has been named. FREAK (Factoring attack on RSA-EXPORT Keys) allows a cybercriminal to force the use of 512-bits encryption keys instead of the 2048-bits ones established by the rules. It is a way to simplify the access to the encrypted content.

Tuesday, March 3, 2015

Shall we play Battleship with data from people and businesses?

Times of war are always difficult. Both soldiers and civilian need to keep themselves entertained to cope with the fear of an enemy attack. This is why these times are paradoxically very productive when it comes to create new games, as “Broadside: The Game of Naval Strategy,” which was the forefather of the Battleship board game.

You've probably played more than once to this game: Two players, two boards each. One of them to place your naval fleet, and the second one is empty waiting to gradually discovered the position of the opponent’s fleet. It is a strategy game based on triangulating enemy ships before he do the same with yours. Taking this to the real world, it could be something similar to the strategy followed by the University of Stanford to prove that a malicious app installed on a smartphone can get your geo position without GPS by just monitoring the battery drain by the device when attempting to communicate with the antennas around.

Monday, March 2, 2015

"super" as a master key, or the security of mainstream services

"super." As it sounds, written in lowercase letters. It might have been "admin" or "1234", but someone thought of "super." Just like this, in plain text included on a configuration file.

"super" is the new master key for home routers. A failure in a router led researchers to perform social engineering on its firmware. They found out that they could use "super" and "super" to log into its manufacturer’s website. But they did not stop there and try their luck with other brands. Voilà! 10 manufacturers of routers incorporated the same backdoor.

Sunday, March 1, 2015

Top 5 Infosec links of the week (LXV)

We're all apprentices. We come into this life to learn and we retain to death a strong impulse, we call curiosity, towards unknown things. The new territory called cyberspace provides us with explorations for a few generations, possibly until mankind would be mental and technically ready to bring its curiosity to space (with no cyber this time). Meanwhile, vital eagerness to learn directs our attention to all kinds of manuals, guides and how-to related to Internet. Our most read links show that way.

On this week, only a story that's not a guide has strongly draw the attention of our readers: a 14-year-old boy, armed with electronic equipment worth $15 and a mobile phone, was easily able to unlock the doors and remote-start the engine of an intelligent car. Also, he made the car play music from his mobile phone and flashed the headlights to the beat. The boy was in a competition to demonstrate the in-security of this type of car.