Friday, July 31, 2015

Turn for General Motors: starting up its cars remotely

The automobile industry can call the summer of 2015 its "summer horribilis". If last week two hackers embarrassed Chrysler, leaving one of its cars without brakes and stopping the engine in the motorway, now is the turn for General Motors: the app which can open their cars and get them started has been hacked. We start with this news and we'll continue with a major security alert involving Internet infrastructure, the attempts to securize Facebook accesses and the cybersecurity biggest event on the planet, Black Hat, which opens tomorrow.

The hack to General Motors is a preview of a talk that possibly will have a great audience in Defcon, which will be celebrated just after the Black Hat, also in Las Vegas. A hacker from Los Angeles has created a device, which he calls OwnStar, which hacks OnStar, the communication channel of General Motors cars. OwnStar can find and steal the necessary credentials to open them and set them up remotely.

Thursday, July 30, 2015

Now, United Airlines could have been hacked

The company continues denying it but it seems to be more and more evidences that computer elite mercenaries have assaulted the second US airline, United Airlines, robbing data from their passengers. United Airlines is the reference airline of the government, where their political, military and other VIPs fly. We will expand this information, we'll also talk about a new use that the cybercrime is giving to Twitter, a new tool for our electronic privacy and where is better not to go on vacation with our drone.

The Black Vine group, supposedly paid by the Chinese government and responsible of millionaire data theft from the insurer Anthem and the Office of Personnel Management (OPM) from the US government, might have attacked United Airlines in spring. Increasingly insistent rumors suggest it. Over the recent months the company network has fallen several times and United Airlines has launched a program of "bug bounty". In April, someone posted false domain named James Rhodes, a character from Marvel Comics. Black Vine usually sign their "jobs" with references to Marvel.

Wednesday, July 29, 2015

A new cyber-villain is born : Black Vine

The company Symantec claims to have discovered those responsible for the biggest data theft known so far, whose victims were 80 million people, customers of the second US insurer, Anthem. This would be the group Black Vine, formed by IT elite mercenaries. We'll talk about them and also about how easy it can be to assault a lockbox, an epic mistake of Belgian government and a success story that could have ended in tragedy: the fork of Bitcoin in 2013.


According to Symantec, Black Vine would be specialized in big companies, having attacked not only the insurer Anthem, but also oil, aerospace, air and other companies. The group would have ample funding for the purchase of equipment, including various 0days which cybercriminals could share with other groups, altough they would program their own tools too. Its main objective since 2012 when it began their voyage would have been US companies (82%) and to a lesser degree Canada, Denmark, Italy, India and China. Its origin could be Chinese.

Tuesday, July 28, 2015

A serious failure allows the kidnapping of 95% of Androids with a simple message

It affects 950 million phones and it doesn't require any action by the victims, not even open the message which will take the control of your phone. The discoverers, Zimperium, consider it the most serious vulnerability discovered so far in the Android operating system and the experts say that they are right. We'll talk about it, as well as other research that has achieved to offload every data from a completely isolated computer, also about web browsing of British parliamentarians and how to educate unaware people in security.

The scenario could be as it follows: at night, we go to sleep and we leave the phone turned on. The attacker only has to know our number, send us a multimedia message (MMS) which has not necessary to be opened. It contains a malicious code that will surreptitiously take control of our equipment. Afterwards, the attacker simply delete the report of receipt of the MMS and the victim will wake up the next day without realizing that somethingh happened. Zimperium will unveil more details at the upcoming Black Hat lecture. The big problem will be how to access the patch if our system is not pure Android, given the little interest shown by the manufacturers to have our Androids updated.

Monday, July 27, 2015

The Jeep hack will suppose a fine of $105 million for Fiat Chrysler

This weekend the company Fiat Chrysler has discovered how expensive it can be ignoring researchers that seven months ago warned them about serious security flaws in its UConnect network. Last week, these researchers and a journalist from "Wired" showed to the world how it was possible to leave without brakes and remotely shut down a Jeep Cherokee in a motorway. Today we live the aftermath of this show, which has shaken the world and occupies our Monday report. 

The responsible authority of safety in cars in USA fined with $ 105 million the company Fiat Chrysler Automobiles due serious security flaws which involve millions of its vehicles. Specifically, most of the models created between 2013 and 2015: Jeep Grand Cherokee, Cherokee, Dodge Durango, Dodge Charger, Dodge Challenger and Dodge Viper. The responsible organization of the traffic safety in the national highways has also reprimanded the company, finally reaching an agreement with it.

Sunday, July 26, 2015

Teso: "I will not stop investigating aviation security"

Hugo Teso, security consultant specializing in aviation.

Foto: Elisa Coello Rueda
I do not know in person Hugo Teso, but I feel great tenderness for him. Possibly his intellectual courage has something to do. It has not gone to college. He came to selectivity, was licensed commercial pilot and from there he has climbed the world's elite of cybersecurity: thus, has become the first consultant who advised the incredible fragility of aeronautical communications systems. The breakthrough came when, in The Box Hacking Conference in Amsterdam, Hugo showed how from a mobile phone he could hack a plane.

Just turned 33, an age really significant. In Berlin he works for a renowned Finnish company F-Secure, which just bought the Danish company that employed him. The great Hugo Teso born in Barcelona but the reader will agree with me that such a large talent needs expansion. In his Linkedin he says his work is "computer consultant". He makes it clear that behind that nondescript name hides a fun: testing the safety of all types of systems, from web pages or apps to airplanes and cars.

Friday, July 24, 2015

Domains .sucks become a new form of extortion

Among the 6,000 domains .sucks that have been sold since their launch in June, only twenty are being used. The rest are celebrities purchases and companies that do not want to see things like "" on the Internet. More and more voices describe this domain as an extortion. We'll also talk about a major security alert that affects the browser Internet Explorer for mobiles, the danger of fakes using Linkedin and an informal but interesting research about hackers ads.

ICANN has recently put on the market the .sucks domain, along with others which have not been so successful. This domain was designed for web pages that would complain about politicians, corporations... but those who are buying it are celebrities and companies which do not want to see these criticize domains. Being aware of this, the company register Vox Populi, which sells these domains, has increased 10 times their prices if the buyer is a trademark. Some talk of blackmail and extortion. ICANN is investigating.

Thursday, July 23, 2015

Nothing works for the Hacking Team customers

Two weeks after the company Hacking Team asked their customers that they have to stop using their monitoring systems, everything remains the same. Cops and spies all around the world can not use the programs bought by hundreds of thousands of dollars. We'll expand on this, as well as other news which continue to be generated by the Hacking Team case, the drama of this summer: a study on the market 0days and another on the high quality of its virus for Android. We'll also talk about the US officials big data theft, another snake alive and kicking.

The magazine "Motherboard" has been able to speak with a Hacking Team customer, who says: "Everything is down, Hacking Team will need months to temporarily restore the service.". The challenge is not only to lift the monitoring system. With the global spread of internal company documentation, flaws in popular software have been discovered and they're already solved by the companies, the antivirus have been updated thanks to this information and security experts have discovered the Hacking Team tricks. How we can return to the past?

Wednesday, July 22, 2015

Four arrested in the biggest bank data theft in history

In August 2014, the biggest US bank, JPMorgan Chase, announced that private data of 76 million customer accounts, plus 7 million small businesses had been robbed. One year later, the FBI announce the arrest of four persons connected with the case. Today we'll also remark two applications for data theft, how easy it seems to just hack a Jeep and fresh news about Darkode.

The arrested would be two men in Florida, two in Israel and possibly a fifth person of American nationality living in Israel. They are accused of several computer crimes related to financial institutions and the virtual currency Bitcoin. JPMorgan theft was a scandal at the time, because criminals strolled for a month over the network of the bank without anyone realizing it.

Tuesday, July 21, 2015

Emergency patch for Windows because of the Hacking Team case

The company Microsoft has released an emergency patch to fix a critical failure that affects all versions of Windows. Rumors say that  this is due to the 0day discovered in the stolen info from Hacking Team. The topic is still kicking with all sorts of new information. We will detail it and we'll also discuss other summer topic: the great assault to the staff US government offices of management, which have forced to implement security changes that do not have everyone happy.

The fault lies in the Windows Adobe Type Manager bookstore. In case of being exploited, it would allow an attacker to remotely execute code or, in other words, to have total control of the victim's computer. A really serious failure present in all versions of Windows and, as stated by the company FireEye, it would be part of the arsenal of 0days which have been discovered from the Italian firm Hacking Team. It's scary to think how long and what targets have been using this exploit.

Monday, July 20, 2015

Millions of adulterers with their data on air

It happened again: the data base of an online dating website has been stolen. This time, we're talking about 37 million people affected from, the main website of this kind, which has this motto: "Life is short. Have an affair". We'll talk about this information and we'll also deal with a very actual topic, 2 weeks after it was discovered: #HackingTeam.

At Hack&Beers is common giving a talk with a beer in one hand

Miguel Ángel Arroyo, maker of Hack&Beers events.

There are very good people creating software ... and others who have a knack for building communities. Miguel Angel Arroyo is one of the latter. In a couple of years he has been at the Andalusian city of Cordoba on the map of the community of Spanish cybersecurity. The kick-off was in May 2013 with the first meeting Hack & Beers, what is now hosted in 10 major cities in Spain, and the number will rise. A year later and with Maria Jose Montes began the brilliant idea of "Hacking Solidario" cybersecurity talks in exchange for food for the Food Bank and the Red Cross. This initiative has already gathered 200 kilos of food.

And not the whole thing. Last year they set up the first security conference in the history of Cordoba, Qurtuba Security Congress, with over 300 attendees. And it's just released the National Association of Professional Ethical Hacking, which is chaired by Michelangelo himself. Technical Management Information Systems Specialist, working on SVT Cloud Services, and studying Computer Engineering; married and father of "two wonderful children", shy smile and darting eyes, Miguel Angel Arroyo, 39, is a natural hard worker.

Friday, July 17, 2015

How to tell 20 million people that have been hacked?

The Office of Personnel Management of the government of the United States is facing its second major challenge, after recognizing that they were robbed of their personal data files of over 20 million people. The challenge is: How do I notify them? We talk about it, as well as a detention reminds us never extinct scheme of  White hacker during day and black hacker by night. Also discuss an attack that distracts a victim while they install a virus and personal initiative that makes available a wealth of information on cybercrime black markets.

Last week, the US government recognized two attacks on his office files of Personnel Management, where  very important personal data have stolen of 21.5 million people, including details of sexual behavior, extramarital adventures abuse drugs, financial problems and criminal records. The big problem now is how to centralize information and notifyaffected. A challenge that quite possibly they will learn new things.

Hacker by day, criminal by night

Another story that has caught our attention is the old scheme of hacker during day and evil criminal by night. We have seen in FireEye worker who has been arrested in the raid on the forum of dark network, Darkode. Morgan Culbertson, aka Android, only 20, is accused of creating andselling a virus called dendroid: $ 300 for the virus and 65,000 to its source code. Day, Culbertson worked FireEye analyzing virus.

They call them to distract

Speaking of viruses, researchers at Palo AltoNetworks warn against a new threat, the work of the same group responsible for CrazyDuke, Seaduke and other "duke". This time send their victims a link or a .pdf about terrorism that have a virus. To distract them while the malicious code is installed, they phone and distract them with a recording of a journalist who seeks information for a report.

Everything you wanted to know about the Dark Web

We ended up this week with a recommendation that will have occupied all weekend to people who are interested in it. It is about a file of 50 GB where a researcher has entered all the information that has been copied in the last three years in the black market network. A compilation certainly priceless that has come through the spanish mailing list RootedCON.

And with that and a biscuit ... We challenge them to enjoy our interview Sunday that this week is the guest to Miguel Angel Arroyo, founder of the Hack & Beers meetings.

Thursday, July 16, 2015

Raid in the dark network

One or more FBI agents infiltrated the forum cybercriminal Darkode and, with the help of 20 countries have arrested 70, accused of exchanging data for misdeeds of all kinds on the Internet: data theft, botnets, viruses ...It is the news that yesterday we published in our Twitter and today we can expand with very interesting information. Also discuss a new attack that allows theft of cookies, what happened to a researcher who warned of a hole and another type of security, community, exemplified in the famous Reddit.

Darkode was a forum in English, where cybercriminals met, mainly from Europe and the United States, almost all in their twenties. At the forum, which took eight years running, entered by invitation and was password protected, a lax security which allowed the police and even reporters infiltrate into it. One was Brian Krebs, who in his blog explains andverse who their leaders, including the Lizard Squad group or the creators of the famous Mariposa botnet, resident in Spain for years and one spanish from Vizcaya.

Wednesday, July 15, 2015

A month of community services for the biggest attack in the history of Internet

The DDoS bombing Spamhaus, an organization dedicated to fight spam, began March 15, 2013 and was so brutal that came to slow down the operation of the entire Internet, with a force of 300 gigabits per second of traffic. One of its authors, a teenager, has just been sentenced to 240 hours of community services, a derisory punishment. We will discuss it, as well as the next Internet Law in China, the banking Trojan Dyre landing in Spain and Hacking Team spyware which hides in the BIOS.

Seth Nolan McDonagh, alias "narko", began his criminal activity at the "tender" age of 13. Among others, he devoted himself to knock websites by request. After his arrest in April 2013 it was discovered that he had 72,000 pounds in a bank account and 1,000 credit card numbers. Just yesterday we mentioned the case of another teenager, Lizard Squad member, sentenced to two years in Finland without complying conviction. Derisory punishments according to critics, against the gravity of the damage caused. So it seems that Internet allows someone to be the worst cybercrime even before you have beard. How to punish it?

Tuesday, July 14, 2015

All against flash

Mozilla has announced that all Adobe Flash Player versions  are blocked by default in Firefox browser. The reason is a wave of exploits which attack various 0days discovered in Flash and with no known patches yet. 0days, certainly, discovered in files stolen to Hacking Team company. We will talk about it, as well as about the compensation of a bank to its customers for not been able to protect their data and we´ll talk about encryption Wars too.

Speed Force courtesy
Yesterday the new Facebook security chief declared Flash Player should be eradicated from the face of the Internet. His words were in tune with an increasingly widespread opinion among cybersecurity experts: Flash Player is a nest hole and must be removed from the moment that there are alternatives to it use, such as HTML5, which is already used by YouTube. Following the wave, Mozilla has blocked Flash in Firefox until Adobe does not make public patches for the latest  vulnerabilities.

Monday, July 13, 2015

More dirty laundry about Hacking Team Revealed

The Italian government and the main ISP in the country would be in collusion with the company Hacking Team, which sold spy  programs to police and secret services of all over the world. The collective analysis of documents stolen from Hacking Team still goes on and we discovered that the startup was not alone: It had major companies behind and Italian politicians who used their products. Today we also speak of a United Nations agreement on cyberwar, outraged by the sentence of one of the members of Lizard Squad and how is the virtual currency Bitcoin up following the situation in Greece.

Phelan Riessen´s Picture
After discovering that Hacking Team worked with governments which do not respect human rights last week, the research on emails and stolen documents from the company deepen into new areas, such as its relationship with important names in Italian industry and politics, who helped the startup to grow. Today we learned that Hacking Team hijacked IP addresses, with the connivance of ISP Aruba, helping Italian police in an investigation.

Sunday, July 12, 2015

"I have written more than 300.000 code lines for Radare"

Sergi Álvarez, creator of the open tools for reverse engineering suite Radare.

Sergi Álvarez, 32 years old, is incredible in computing, a privileged mind whose conversation can be so technical that it seems he will end talking in compliler language. An old acquaintance of hacker community under the alias of Pancake and Trufae, in 2006 he decided to create a tool to recover deleted files from a MacBook G3. There started his adventure and the biggest free infosec project created in Spain: Radare, a tools suite for reverse engineering.

Friday, July 10, 2015

The community is dumped in the analysis of the roles of Hacking Team

We are living an epic effort worldwide never seen before , centralized in #hackingTeam and #hackingteamtransparencyreport hashtags on Twitter. Since it was made public more than 400 GB of private documents of the Italian company selling spyware governments, the hacker community has continued to dig, sift and share information found. We talk about them and two intrusion US government now totaling more than 20 million affected. Not forgetting the bug in OpenSSL yesterday finally became public.

Fuente: Electronic Frontier Foundation
Yesterday, WikiLeaks facilitated the task of analysis by providing the community a database, with one million mails stolen from the company Hacking Team, and the corresponding search. It all, especially were the customers of the company who. Police forces around the world almost without exception were related to Hacking Team least see demonstrations of their products. Also the Spaniards.

Thursday, July 9, 2015

Is it normal the failure of an aircraft, the stock exchange and a newspaper?

The US government has denied there were cyberattacks, but the magazine "Wired" do not hesitate to speak of cíberarmageddon. Cause yesterday an airline and the New York Stock Exchange had to stop their activity due to computer problems, while the website of the "Wall Street Journal" fell apart. And all, a day after the leak of Hacking Team, about which has delivered its opinion the EFF. We will also talk about Encryption on iPhone and a new APT: Wild Neutron.

Senator Bill Nelson said in his Twitter account that the three incidents seemed consequences of attacks and related this issue to his field asking the US Congress for a new law on cyber security. The government and the concerned companies have denied him, speaking of automatic and computer failures. Who knows but, in any case, they are still so many coincidences at the same time.

Wednesday, July 8, 2015

It´s better not to use Flash Player today

The flood of information about the leak to the company Hacking Team is remitting and we awoke with some corpses in the sand. The most urgent is a Flash Player 0day discovered in the assault and which some criminals have already joined it to their exploits. We will expand this news and discuss others: hacked missiles, 3D printers used to commit a crime and the narration of two weeks of cohabitation with the worst people in the dark network: The monsters of pedophilia.

The company Symantec has confirmed the existence of a previously unknown vulnerability in Adobe Flash which allows to remotely execute code on the  computer. Hacking Team company offered customers to enter foreign machines, and now that it is known, criminals have begun to use with the same intent. Tomorrow we will have the patch and meanwhile, experts recommend disabling Adobe Flash in the browser or uninstalling it.

Tuesday, July 7, 2015

Warn of a boom in banking Trojans this summer

Today was difficult for us to find in the current infosec news, one which had nothing to do with the famous assault to the company Hacking Team, specialized in selling spy programs to governments around the world. But we found it: There is a warn of a Trojans explosion based on ZeusVM. We´ll expand the information and we´ll also talk about the big bang which is impossible to ignore: the assault on Hacking Team.

Last month the source code of the Trojan ZeusVM was released as were the tools to create and customize it. ZeusVM is a variant of the famous banking Trojan Zeus, with the particularity of using steganography to hide in image files, something that is not new but what people are not used to and, especially, allowing the Trojan to hide from antivirus . Experts announce a ZeusVM explosion after free tools to create them have been posted.

Monday, July 6, 2015

Supposed hackers who worked for governments humiliated

Today everybody in infosec world talk about the company Hacking Team, which used to make "little works" and sold spy software to governments and has been hacked, humiliated and brought it to its knees amid hacker community laughter. Laughs? Yes. We´ll talk about this, and also about a teenager´s feat who is 20 years old but an expert malware programmer. we´ll talk about a wireless battery charging device and we´ll end inquiring what people use to ask to hackers.

The Italian company Hacking Team was reported by different organisms, RSF among them, for working for oppressive governments, like Sudan, Egypt or Ethiopia, selling them the technology to spy journalists or dissidents. Yesterday, somebody entered in the company Twitter account and published a link to a torrent file which contains more than 400 GB with inner documents, mails, audio... stolen from the company computers.

Saturday, July 4, 2015

"We use smartphones without thinking about smart security"

Gerard Vidal, cofounder and CEO of Enigmedia. Speaker in the Stratups Space at the summer course Cybersecurity Innovation applied to the protection of digital identities.
Enigmedia founders team

Gerard Vidal is Telecomunications Engenierr and Doctor in Mathematical Physics. He has worked as I+D Project Manger at Scientifica, collaborating with a project at CERN (European Organization for Nuclear Research). Father of the technology and founder of Enigmedia, he centers on the cypher development ant the relations with technology partners.

Friday, July 3, 2015

Mastercard will ask you take a selfie to confirm your purchases

It is a pilot test which will use 500 "guinea pigs" who, instead of entering a PIN, will take a selfie to confirm payments with their credit card. Mastercard calls it "the new generation" and we´ll have to see if it works, given the failures we discovered in biometrics, day in day out, when it is still not widely used. We speak today of new legislation in the US, how Bitcoin Exchange was hacked and cyber espionage tool per excellence, XKEYSCORE.

It seems simple: to verify a purchase made with our Mastercard card, it will activate an app in our mobile to give us instructions to get a picture of either the fingerprint sake or our face. Easy but ... are you sure? It remains to be seen if this pilot finally becomes widespread reality. Anyway, Mastercard deserves congratulations for finding solutions to nineteenth century scheme ofconfirmation via PIN.

Thursday, July 2, 2015

“Cybersecurity is far from the optimal interface for humans"

Alberto Partida, IT Security and Risk Management Analyst and speaker at the summer course Cybersecurity Innovation applied to the protection of digital identities.

Alberto Partida is an engineer and MBA passionate about information security. He is a columnist and author of reference books in this field. He certifies more than 15 years of international experience in Safety and Risk Management Information. You may follow him through his blog and his account @itsecuriteer on twitter.

Wednesday, July 1, 2015

Why do you want encryption if you don´t know how to apply it?

The American expert on encryption, Jonathan Oseas, holder of several patents and author of  several books, used to say that there are plenty of ways to implement encryption, the majority wrong. Another guru, Adi Shamir, often reminds his audience that nobody attacks the encryption algorithms: they go around. Today we recommend an interesting report about how bad the encryption is implemented, we will also talk about Windows 10, a new trojan spy named Dino and the entry into force of the reform in Penal Code in Spain.

The complexity of cryptographic libraries, coupled with the lack of experience on the part of developers, who are being trained by universities about the algorithms, but not about how to implement them, have led to this situation: security holes related to poor encryption implementation are the second most common vulnerability in programs. To make things worse, some developers decide to create their own algorithms, which is usually intended for pure failure.