Monday, August 31, 2015

Do not have the wool pulled over your eyes

Cheats and ruses are the order of the day, even more after coming back top business as usual. As soon you are the victim of and endless ads campaign (a legal one in the eyes of the administration) or victim of a Facebook spam campaign. Or you discover the vulnerabilities of your own sistem´s core. Or you are ot¡ut of the market (with all the inherent dangers) for being the owner of a some years old device. All of this in our monday´s info pill. Are you ready?

You open the mail as you use to do every morning from the office, and you find a Samsung promo. Everything looks as usual. "You could earn 500 euros" offering your phone number and personal data only. And maybe we´ll ask you to fill some forms from some of the affiliated companies. And maybe from some others too... and before you know it, you have spent twenty minutes filling forms and it does not look to end soon. Furthermore, you are facing a kind of campaign which is absolutely legitimate, because they have not assured you´ll get the price...

Sunday, August 30, 2015

José Selvi: "You open your sniffer and start to do unexpected things..."

José Selvi. The pentester.

It seems that José Selvi is very annoyed because he has not lived the 90's underground hacker period. It's useless try to explain him that a lot of hackers of his age, 34, neither did. It's an interesting place not visited by his curiosity, his desire of knowledge. We'd bet he would change all his certifications, he has a lot*, for assisting to one UnderCon. 

Anyway, we don't imagine this quiet man being a pirate on a IRC-Hispano chat. Selvi is a white wizard who entered hacking through studies. Without moving from Valencia, he's passed from the videogames screen to cybersecurity, from his IT engineering career to his current work as Senior Penetration Tester in the British company NCC Group.

Friday, August 28, 2015

Trick or treat?

RIP Flash. With only two words we can summarize the future of this Adobe technology. In a movement that maybe joins many interests, Google advances Halloween and announces its "trick or treat": from the next Monday September the 1st the not essential contents in Flash could only be seen by user request. In other words, when we use Chrome browser we'll see a grey block instead of these contents. Mozilla, Whatsapp and Kaspersky are the three names of the rest of this halloweenian day of August.

Performance, corporatism or security? From Mountain View say that the block of Flash contents will try to improve the performance of Chrome, affected when it has to show two or more contents from Adobe. This also means, as the more critic point, that a good proportion of advertisers will have to change their advertising model to HTML5 standards, or change to Google Adwords, in what we can summarize as a "if you're not in the Google advertisment network forget about appearing in Chrome". Anyway, what's true is that a big part of the malvertising we were talking about yesterday as a cybercrime tendence, will have more difficulties to infect us. Trick or treat?

Thursday, August 27, 2015

Twitter, leaks, stolen data and Sherlock Krebs

"There's one clear thing. If Thadeus Zu has not been involved in the hack, he certainly knows who did it". This is the conclusion of an awesome research about the Twitter profile @deuszu by the security expert Brian Krebs, in order to determine who's behind the leaked and theft data from Ashley Madison. It's the most famous case lately, but not necessarily the most severe or important one: the medical data are more and more requested, whereas criminals find more ways to infiltrate, unnoticed, in anybody's computer.    

A mysterious character, probably with a fake identity, who sends hundreds of tweets daily, adressed to nobody but it seems that they take part of a big discussion without mentioning any user. And with so suspicious actions like talking about the database of Ashley Madison 24 hours before any media did it. Coincidence in somebody who declares he's gone to Canada looking for his new love? Too much coincidence. The research by brian Krebs deserves a look from the beginning till the end.

Wednesday, August 26, 2015

Think about how you want to get out of jail

We all like to play with our mobile devices: customizing them, giving them this different touch to make the whole world THIS is MY smartphone. If you´re an iPhone user it´ll be a little bit harder, but there are still chances like "jailbreaking" your apple. If you have already done it, maybe you should be scared today. We´ll see why right away and we´ll also talk about Android´s security, the worldwide distribution of the risk and, keep an eye on it, a new variant of Zeus, the financial malware par excellence.

iOShacker blog has revealed today an important data leak from iCloud: up to 200.000 users registries who had done a jailbreak to their iOS devices (iPhone, iPod, iPad), according to the Chinese web WooYun. The first speculations talk about malicious tweaks with backdoors, pirate copies of legitimate tweaks to "break the jail" of Apple devices. The supposed database could be on sale in a Chinese server, allowing buyers to accomplish any kind of misdeeds with it, since creating botnets to making cash exploiting the provided data.

Tuesday, August 25, 2015

Cybersecurity with tango rhythm

"Return with my forehead all wrinkled, my temples turned silver by time’s falling snow". The immortal tango by Carlos Gardel, with lyrics by Alfredo Le Pera, left us a sentence which has become a cultural reference: "20 years hardly reckon". And so, 20 years ago, Windows 95 was born, for a lot of people the first operating system in itself. Without denying Gardel, a lot of things have changed in the past 20 years; especially in the matters related to security, although nowadays we still find incredible facts, like if we were in 1995 again.

Windows 95 supposed a true revolution in the interaction among man and PC. The freelance journalist Ian Morris has summarized for Forbes the seven ways this Microsoft product changed the world. Morris points at its Internet capabilities, introducing the start button and the task bar, concepts such as plug and play, the synchronization or the users profile (with security protocols everybody could pass nowadays). If we consider the evolution since that time, it's difficult to imagine our PCs in the next two decades.

Monday, August 24, 2015

Today it´s better not being multitask

Third time lucky they say, and we hope this time the proverbs book is wrong. If we had not enough with Stagefrigt and the critical vulnerability of the mediaserver, some researchers have just find a security hole in Android which affects to almost all devices. This is how this week starts, a week  with echoes from the last one, with the first suicide presumably caused by Ashley Madison´s case and a week in which we´ll hear the Pentagon is going to “take it all” when hunting cybercriminals.

The new vulnerability of the Google´s mobile system could be on the multitasking capacity of devices, and I could allow an attacker to take control over the whole device: espionage, credential stealing, malware installation, and as many misdeeds as you can imagine. The research was conducted by Fire Eye firm ant The Pennsylvania’s State University. As we know by now, this third security breach in a fatal month for Android could affect to almost any devices.

Sunday, August 23, 2015

Reversemode: "I started in reverse engineering thanks to the 90's crackers"

Rubén SantamartaBugs Discoverer.

There are not much nicknames as accurate as the one owned by Rubén Santamarta: Reversemode. Reverse engineer as a profession, and almost as an addiction, Rubén “reverses” everything which faces his self-educated curiosity, it could be the Tax Agency´s network, the online tickets selling system of RENFE, the news edition software of TVE o the SCADA system which controls an energy station. When it´s as a hobby, he tells the story on the collective blog 48bits, symbol and shelter of some of the best local hackers.

Elegant and reserved , with a Peter Pan touch, Rubén was born in León 33 years ago and he works on what he likes in a super cool company called IOActive, with the Whole Wide World as it´s headquarter. He knows well what the famous 0days mining or the bad guys sending him blank checks mean, but being in the eye of the storm of the information revolution looks not to have affected his vital honesty. So, he assures he fells not like an elite hacker, but like a “proletarian hacker”, whatever it means.

Friday, August 21, 2015

Do you kow who plays on your team?

Answered prayers cause more tears than those that remain unanswered. This could perfectly describe the situation at Ashley Madison, dating web service for married people. We have to add a new leak twice in size than the spectacular leak of the beginning of the week: 20 Gigabytes of data which look to contain even internal corporate data of the company. All of this meanwhile the German Parliament suffers a "blackout”, and a recent poll says that one third of the employees declare to have a “price” for leaking information.

The dating web Ashley Madison is reaching its limits. The managers claim that they are investigating what happened, that they are learning the lesson and, despite everting, it has to be taken into consideration that there is an undetermined amount of fake data in the leaks. But security experts like Brian Krebs have no doubt about the authenticity of the data. And they keep growing: 48 hours ago the news were the leak of 10 Gigabytes, the new leak doubles it (20 Gb) and could contain even more sensitive information. Remember the breach was on the news the las 20th of July and even then the company was threatened with making public this info if it didn´t finish its business activity.

Thursday, August 20, 2015

Your privacy is in your hands too

A day after the leak of thousands of accounts registered on the dates web for married people, Ashley Madison, practically it´s the heart of all conversation on the “infosec” environment. What´s on the table is not the moral issue, which is a private question, the debate focuses, one more time, on the security of our information and who are we delegating it on. Today we will also see how is it related with the digital war, we´ll notice some attacks on supermarkets using Whatsapp and we will get deep into the Rock of Gibraltar.

Among the leaked accounts on Ashley Madison case there are some clearly fake, as the one owned by alleged “Fox Mulder” from FBI, one which uses “I trust you don´t” credentials from the National Security Agency (NSA) of the United States, or the supposed official account of the former British Prime Minister Tony Blair. But Ian Thomson from The Register assures there is data enough to take at least some of the leaked info as legitimate. The author asks himself how is it possible that some companies IT departments leaves their doors opened to a dating web, even when it has been proven that digital movement liberty for employees is good in terms of productivity. Because one thing is one thing, and another thing…

Wednesday, August 19, 2015

You´ve got a Date with a hacker (one of the bad ones)

10 Gigabytes of data, user names, real names and surnames, 33 Millions of passwords and partial numbers of credit cards. Those are the big numbers of the “hack” suffered by Ashley Madison the dating web for married people. A “hack” which grows more important because it has also been a “leak”: somebody filtered this info into the “deep web”: This happens the same day a critical “zero-day” for Internet Explorer appears. Who gives the most?

The Canadian firm Avid Life Media is behind Ashley Madison and has labelled this episode as a “crimson act”. While in Ars Tecnica they get deeper on what happened and assure that the “hack” is not only real, but also “worst tan we thought”: it has been hacked and filtered even accounts from users who decides to erase their profiles, and PayPal accounts from the company executives. “Its not only a capture of the database, the infrastructure has been compromised in a big scale”, says the TrustedSec researcher Dave Kennedy in a post.

Tuesday, August 18, 2015

More and more Telecom Corps use super-cookies to monitor their customers

They are indestructible. Although we press the button "clear cookies" they're still there. The target of the super-cookies is to monitor our browsing, glorifying the custom advertisement and more and more telecom companies install them to their costumers. We'll also talk today about a dangerous hole in OSX, ransomware, and how to detect they've infected our BIOS. Let's go.

When was known that Verizon and AT&T monitored their mobile phone customers with super-cookies, one year ago, the scandal emerged and these companies promised to allow their deactivation. But six months later, its use hasn't been racionalized but exploited instead. According to a study, there's already 9 telecom companies which use super-cookies: Verizon, AT&T, Bell Canada, Bharti Airtel, Cricker, Telefónica de España, Viettel Perú S.a.c., Vodafone NL and Vodafone Spain.

Monday, August 17, 2015

NSA and the mobile telephony: Snowden strikes back

This weekend, Snowden has revealed via "The New York Times" a new batch of documents where is shown the close collaboration between the US National Security Agency and the leading telecommunications company in that country, AT & T. We will discuss it as well as two investigations which have revealed, on the one hand, a failure in Bittorrent which makes it useful for DDoS attacks and, on the other hand, that's possible to install "ransomware" in devices of the Internet of Things. Finally we will talk about Kaspersky, accused of sabotaging their rivals.

According to "The New York Times", AT & T would be spying for the NSA the communications of Americans since the eighties. In 2011, AT & T would have begun to serve the agency 1.1 billion call records of mobile phone customers per day. This data is especially bleeding by the fact that the NSA had publicly said that it only spied fixed telephony. Another surprise was for the United Nations, AT & T customers: all communications headquarters were spied in 2012.

Sunday, August 16, 2015

Román Ramírez: "We are organizing RootedHONGKONG"

Román Ramírez, the most visible face at RootedCon, the security conference

"I was born in the Dominican Republic in 1974 and came to live to Spain with five, when my parents separated. I've been into computer areas since 1992/1993, although at school I was already interested in the subject, but at home there was no money to have a computer, so I used those of my friends. I learned computer security self-taught, in parallel with my learning of programming and systems management. I spent time in the university, where I lost many illusions. Now, the most important project of my life is my daughter. "

Roman Ramirez speaks for itself. Man of great character, hacker of the old school, clear and dark, and proud of it. Roman is not lost and is not a cliché, he has made himself and is not a topic. You love him or hate him, or a bit everything, but always in a big way, chest out. Today he is known as RootedCON president, which last year, in its fifth edition, brought together 1,304 people. It is certainly the largest Spanish hacker convention.

Friday, August 14, 2015

The most popular websites are suffering a plague of ads which infect visitors

This summer will be remembered on the Internet not by a plague of mosquitoes but for malicious advertisements infected with virus as fearsome as "ransomware". The pest was first detected in Yahoo! and continues along the most visited Web sites. We'll also discuss about how they can monitore us while surfing the battery status of our phone, the serious problems of Android security and the true story of a company which managed to recover stolen money via Internet bribing police officers.

This summer we recommend to surf the net carefully. It is running a criminal operation which, since June, infects ads from websites with millions of visits such as Yahoo! or DrudgeReport. The malicious ads use HTTPS encryption to avoid detection. When they find a visitor with a vulnerable browser, they infect your computer with malicious code which can contain a "ransomware", the worst virus for users because it encrypts all files and demands a ransom. We recommend patching browsers and install ad-blocking programs.

Thursday, August 13, 2015

How to hack a morphine pump to administer a lethal dose

We had been told that in the last Blackberry Security Summit in New York, the head of security of the brand David Kleidermacher and the expert Graham Murphy had shown how easy it is to hack a drug delivery device. But nothing frightens so much like seeing it live. We will show it, as well as the list of Lenovo products which come with a "rootkit" installed by default, a new malware which attacks Cisco firmwares and a new chapter of the drama of the summer in the United States about how necessary are the rear doors and the limits to the encryption.

The device is charged with morphine. The hacker shows how it is possible and easy to connect via Ethernet or WiFi to the device, browse the file system, detect the executables and, handling the suitable one, administer a lethal dose. In 15 minutes that could be 10, even 5. The device is manufactured by a company named Hospira, in Illinois, and has sold 400,000 devices like this to hospitals all around the world.

Wednesday, August 12, 2015

Hack the Stock Exchange: Financial releases not published have been stolen

After hearing the news, Kevin Mitnick explained on Twitter that he had already thought about it years ago, without attempting to do so at the end. Finally, IT Romanian criminals have done it, robbing financial information related to companies which operate in the stock exchange, when it was in the computers of their press agencies about to be published. We'll also talk today about possible Chinese email spying against high US militaries, the failure on a common device that allows to leave many cars without brakes and the legislation in Spain about drones.

BusinessWire Workers 
Cybercriminals hacked the computer networks of agencies such as Business Wire, PRNewswire and Marketwired, which are responsible of distributing press releases with financial results and other relevant information of listed corporations. They had access to this data before they were public so they could conduct their operations with a clear advantage. The fraud, which lasted five years, would be about $ 100 million, with 32 defendants.

Tuesday, August 11, 2015

US banks manage to evade government backdoors

Government and US cyber intellectuals are spending all summer discussing how strong must be the encryption, where has to be applied and the use of the back doors for the fight against the bad guys. In the middle of the discussion, it has been known that banks are migrating to a new secure communications system, Symphony, to avoid government surveillance. We will discuss it as well as the notice from Oracle against those who access their code, a serious flaw in Intel and AMD processors and the news of the day: Google integrates in Alphabet ... but forget to check if the domain is available.

Joke about the letter from Oracle
HSBC, JP Morgan Chase, Citi, Deutsche Bank, Goldman Sachs and other major banks are migrating to Symphony communications system based on the cloud. This movement has not satisfied US Senator Elizabeth Warren, who sent a letter to the General Prosecutor to request more information about this system which, according to Warren, would serve to "avoid compliance controls and regulatory revision". Banks are beginning to be tired of being spied by the government, as happened with the NSA poking its nose into SWIFT.

Monday, August 10, 2015

39 million stolen from a company by cheating a manager via email

The accounts of the American technology company Ubiquiti Networks have revealed it: according to the results of its second fiscal trismester of 2015, the company lost $ 39.1 million, being a victim of a cheat by the Commitment Corporate Mail, a type of social engineering very popular although worldwide managers are unaware about it. Other news that caught our attention today are a fine to another company, for the theft of two of his servers, a drone which is mapping the Internet of Things and how to destroy a hard drive.

It is summer, August, and the heat is oppressive but the amount of news about IT security continues without melting, as you will see if our readers visit our Twitter account. From the relentless torrent of news we have highlighted the deception suffered via email by an officer of the company Ubiquiti Networks. That was how the thieves gained control of the manager e-mail account, which had the capacity to authorize transfers. And indeed, they authorized a millionaire transfer.

Friday, August 7, 2015

Someone put a spyware in Alberto Nisman's phone

Yesterday began in Las Vegas the DefCon hackers convention, just after BlackHat. It's, without any doubt, an avalanche what we have the press specialized in cybersecurity, telling you all the news shown at BlackHat. After the surprising bugs and the digital games about magic, we have a few lectures really transcendent, being one of them the conclusions of a researcher who entered Alberto Nisman's phone, the Argentinian prosecutor murdered in strange circunstances. We'll talk about it as well as other interesting stories from BlackHat. 

Alberto Nisman was found dead in his apartment in January 18th of this present year, just the day before declaring in Argentina congress against the current president, Cristina Fernández de Kirchner, about her implication in an Iranian terrorist attack, in Buenos Aitres in 1994. According to Morgan Marquis-Boire in BlackHat, security director at First Look Media, Nisman had in his phone, a Motorola xt626, for a minimum period of six months, a spyware monitoring his calls and messages, also making screenshots. In June, we already know that someone manipulated his computer, physically and even remotely, the week before and also a few hours after his death.

Thursday, August 6, 2015

Tell me who are your friends and I'll tell you if Facebook will loan money to you

Facebook has just patented a system that will determine the creditworthiness of a person based on their circle of friends in this social network. Lenders will receive from Facebook various lists (gray, black and white) which indicate the average social environment creditworthiness of the one who have requested the credit. Today we'll also explain that Google will update Android more frequently, how can an app  find our phone number and an attack that appears to come from the Land of Lollipops: Man on the Cloud.

Esther Vargas

Facebook's new patent is related to a system of authorization and authentication based on the network of a person who may have many uses, such as filtering your spam and offensive content or improve your searches. Facebook suggests only one of them, as new as disturbing: an application which automatically determines whether a person is worthy of a credit, considering the economic capacity of their network of friends. Welcome to the future.

Wednesday, August 5, 2015

Prediction of crimes is now a reality, says the head of NYPD

The science fiction movie "Minority Report," directed by Steven Spielberg in 2002 and based on a short story by Philip K. Dick, surprised by his idea of a police unit called Precrime which, thanks to people with precognitive abilities, could predict who and when a crime would be committed. This unit, as the police chief of New York has said, it is not fiction but a more and more usual fact. We'll talk about it, as well as the FBI breaking TrueCrypt, a former government adviser calling an eye for an eye in cybercrime and the hack saga to the Chrysler cars: many customers have demanded the company.

According to Bill Bratton, the police chief of New York, the next stage of the American police is the capability of predicting crimes through data mining on large amounts of information and the development of algorithms which "can analyze these data in many ways, impossible to the human mind ". Bratton calls it "predictive police" and it's being used by the army to fight terrorists.

Tuesday, August 4, 2015

Researchers create a dangerous worm that attacks Macs

It is known that most of viruses attack the Windows operating system, being Apple and Linux relatively safe devices. But this statement is more and more inaccurate and it has just been demolished by two researchers who have created a worm that attacks Macs, virtually undetectable and indestructible. We'll also talk today about how to create a "skimmer" of cards in less than 10 minutes, the abrupt end of the journey of a hitchhiker robot and a journalist pointed as a paranoid until Snowden documents have proved that he was right.

Tomorrow, at the Black Hat conference celebrated in Las Vegas, two researchers will explained in detail how they created Thunderstrike 2, a worm that exploits holes in the firmware of Macs. When any device is connected to the Mac infected, its firmware will be also infected, ready to infect another Macs which are connected to it, without human intervention. When it's installed in the firmware it is very difficult to detect and destroy it because the updates or formattings of the operating system do not reach the firmware. We expect, thinking about the health of the "macers" that Thunderstrike 2 does not come out of his cage.

Monday, August 3, 2015

Windows 10 spies you... a lot

Microsoft is offering for free its new Windows 10 but what is the cost for their users privacy?Security experts warn of many default options in the new version of the operating system which are a danger to privacy. We'll talk about it, as well as a new vulnerability in WhatsApp allowing eavesdropping, the antivirus company BitDefender, which has been attacked, and the arrest of the founder of the bitcoins operator Mt.Gox.

August starts warm, even when we have not already talked today about the Black Hat conference, celebrated in Las Vegas, which will fulfill news for us all the week. We started the week with Windows 10, just launched with serious privacy issues, "invasive by default", according to experts. Windows 10 has full access to email accounts, messages, contacts, calendar data and user location, which, in some cases, Microsoft may assign to"reputable companies". Changing these default settings is not exactly easy. Besides, the new browser, Edge, shows personalized ads.

Sunday, August 2, 2015

"No cON Name: money doesn't add up"

José Nicolás Castellano. President of No cON Name conference.

Nico Castellano, 13 years as president of the most veteran Spanish public conference on hacking. It means since 2002, when nobody wanted to fund an event whose organizers were 18, even if trying to disguise age with senior suits. No cON Name was born in 1999, as a half underground and half business event, sponsored by S21Sec consulting, looking for so called "white hackers".  

Majorcan with Argentinian roots, Nico is a well-read man. He has got also a strong political baggage that never turned into hacktivist whims, at least as long as we know, despite his huges knowledges of computer security. He prefers researching on communications and systems, even when job has put him sometimes in areas like pentesting. Above all is his link to No cON Name, his passport to become an endearing personage of Hispanic hacker community.