Friday, October 30, 2015

Virus, virus everywhere!

If yesterday the news were all about stolen data, making a monographic, today we're launched to the other great menace in the network, the bugs. Ransomware, spyware, botnets... are some of the bigger dangers lurking us in this dark and entangled forest that's Internet sometimes, with a thousand faces, which can show us a joke we laugh with as never before, or frighten us because our closest data have been shown to everybody, or even worse, giving us reasons for panic because a virus has ciphered all our files.  

If we had to set an image to the bugs it will may be the squids with horrible tentacles which attack Morfeo's ship, stick to it. Spyware would be something similar, stick to our computers and phones to suck all our information. Precisely, the European police is conducting a campaign, started by the German justice, to stop the criminals behind the spyware for AndroidDroidjack. For the moment, 4 people have been arrested in France, suspicious of having bought this spyware in the black market.

Thursday, October 29, 2015

Do you want your friends to know that you visited the psychiatrist?

The digital magazine “Motherboard” has announced it will have a new section:“The hack of the day” referred to the data filtration which we're seeing daily. Today has been an especially prolific day related to this topic, and that’s why we decided to entirely dedicate our post to it: since psychiatrist patients whose data has been stolen from the hospital until the exposition of the access passwords to their accounts of the British Gas customers. There's a remedy? We'll finish reading a text by the reputed expert Bruce Schneier, with the illusion of lighting up our knowledge, even just a little.

The Medical and Mental Health Center Woodhull of Brooklyn has sent letters to 1.581 patients to notify that their data were in a stolen laptop. Although the laptop was protected with password, data wasn’t encrypted. We’re talking about names and surnames of the patients, medic histories and else. The letter finishes “calming” the victims because, among the stolen data, were not the social security numbers so nobody will be able to use them. The fact that the hackers with this information would blackmail them in exchange of not reporting to their bosses or friends about their depression isn’t so important, for sure.

Wednesday, October 28, 2015

FBI opens the Pandora box about if the ransomware victims should pay

Today is the star topic in all the cyber security forums over the world: Do we should pay or not to the ransomware blackmailers? FBI says so but the rest of the experts insist in don’t do it. Who do we listen to? Today we’ll also talk about the sale by the main world carriers of their customers data, a very lucrative business; we’ll talk as well about a change in the USA copyright laws and of an experiment: leaving 200 flash drives “lost” in public sites to see where they end.

Last week, in the Cyber Security Summit in Boston, the special agent Joseph Bonavolonta confirmed that, for some stong ransomware encyption attacks, FBI recommends paying the money requested by the criminals in exchange of the decryption password. This has created indignation in most of cyber security experts, whose standard speech had always been not to pay because isn’t sure they send the password, and if they send it, it may content another virus, also feeding this criminal business.

Tuesday, October 27, 2015

In the US army nobody reports the computer fails due to fear of reprisal

Today we’ll devote part of our daily post to that we could enclose like “cyberwar” but from surprising different points of view. One of them unveiled in an USA Army magazine: there’s fright of report “bugs” due to possible reprisal. We’ll also talk about a trojan discovered in the laptop of a senior German government official, the provocative operations of the Russian marine and we'll finish with a new list of methods to hack cars.

According to an article published in the “Cyber Defense Review”, in the American Army doesn’t exist a centralized management of the security upgrades, neither supervision of the computer failures and the penetration evidences are forbidden. There aren't incentives for the personnel if they report the failures found. To the contrary: they’re afraid of the retaliation which would consist on the loss of the access to the system, revocation of the authorizations and other punitive actions. This causes that nobody report the “bugs”. And this situations is repeated in other armies over the world.

Monday, October 26, 2015

Can they hack your car and also introduce a virus?

Imagine you bring the car to the mechanic and, when he plugs it into the computer to diagnostic it... the car transmits a virus to the computer. Is this scenario possible? Three researchers from the Budapest University have proved that’s possible. We'll talk about it, as well as the security in the Blackberry Androids, news in the data robbery to TalkTalk and a proposed law in Germany to finally allow the telecoms to retain the data of their customers.

András Szijj, Levente Buttyán and Zsolt Szalay have published a study where they explain how it would be possible not only to hack cars remotely, something that is a recurrent topic since the summer, but also to introduce a virus that could, for example, change the configuration of the Airbags through man-in-the-middle attacks.

Friday, October 23, 2015

The Sony hack will cost 8 million in compensations for their employees

The companies which read us should apply the saying “When a boat sinks, the rats are said to be leaving” before the opening new of our daily security computer summary: after the horrible hack suffered by Sony in 2014, now the company has to pay 8 million dollars to their employees, because of the robbery of their personal data. We'll talk today about another important data filtration, suffered by the TalkTalk ISP, about how the sewers of the states take revenge against the researchers who discover their virus and a new adventure of Asterix, very contemporary.

Sony suffered in 2014 a terrible hack, possibly planned by the North Korean government, which involved one of the most ominous data filtration in the history of IT security. The employees of the company denounced it for the filtration of their personal data and now they have concluded the payment of 10.000 dollars to each employee whose identity was stolen, as well as 1.000 $ per person to refund the protection measures taken after the attack. Plus the costs of the demand. 8 million dollars in total.

Thursday, October 22, 2015

Apple repeats to the police: it’s impossible to unlock an iPhone without password

The police is mad with Apple because they refuse to unlock iPhones seized to criminals. They believed Apple would have some kind of master password or backdoor, until the company has confirmed before a judge that this “master password” doesn’t exist, it's simply impossible. We'll also talk today about Android, the “new” attacks to NTP protocol and how the NSA broke the encryption of Internet. Here we go.

Since Apple put on the market the 8 iOS version, in the 90% of iPhones, the police ensures that they are unable to unlock smartphones to access the content without knowing the password. The past Monday Apple confirmed that this is impossible even for them, before a federal judge of the United States who reminded the company their obligation of cooperate with the law forces. Anyway, researchers have proven that is possible to access to an unlocked iPhone in other ways without breaking its encryption.

Wednesday, October 21, 2015

How to falsify a chip card? Putting on another one

They can call it the "astonishing trick" or a clear-cut “hack”. The question is that many security researchers were amazed when they've known how some French criminals achieved to steal almost 700.000 euros using stolen chip cards without knowing the PIN. We’ll talk about this, as well as serious failures discovered in encryption hard drives, the progress of the most popular certification and an interesting report about the 0day vulnerabilities world. 

While around us we already feel the saturation of jokes, news and other things about the day Marty McFly came back to the future (today), we travel to 2010, when researchers of the Cambridge University discovered a failure which allows criminals to use chip cards without knowing the PIN, through a man-in-the-middle attack. In the following years a group who used this trick with stolen chip cards in France and “drained off” in Belgium was detected. The trick consists on putting a chip just on top of the legitimate one. The second chip will accept any PIN introduced. By the way, if anyone thought in using the failure: it has been already fixed.

Tuesday, October 20, 2015

The guy who hacked the CIA director is 20

Yesterday news were confusing: nobody believed that a 20 years old boy and his friends would have entered the email of John Brennan, the CIA director. Today, with the provided documentation and after talking with the media, everybody believes it. We'll also talk about an attack which is committing hundreds of online stores, the plague of fake opinions about products in Internet and the withdrawal of almost 300 apps from iOS which collected private information.

The boy who says he has hacked the CIA boss didn’t give his name but he gave his twitter account @phphax where he sympathizes with Anonymous and the Palestin cause. He and two friends discovered that Brennan has his number phone in Verizon so they called Verizon to, through social engineering, get his personal information: ID, PIN, second phone number, AOL e-mail address and the last 4 numbers of his bank account. With this information they entered in the AOL account, change his password and steal sensible information they published on Twitter.

Monday, October 19, 2015

The cyber war brings us to…prehistory?

The best defense in IT security is to not use the computing. Although it sounds paradoxical and in fact it is. As well, the best way to prepare for an IT attack is being sure that, if we don't have computing, we would keep working. This is what the Marines from USA have thought and we'll explain why. We'll also talk about how to protect ourselves against the NSA, a kosovan who passed military data to the ISIS and the more frequent causes of  errors in IT.

The US army teaches again their students how to use the sextant, ten years after giving up this studies on behalf of GPS. The reason is the prevention against possible attacks which could leave a ship without network access or receiving fake information about their geographic position. Being more and more possible these scenarios, the marines have decided that's good to recover the old knowledge, because a sextant can’t be hacked. Something tells us that other sectors will follow their steps and, if not, ask to the hackers when they’re in the hackers conventions, where they don’t use computers or smartphones to avoid hacking. Return to the cavern is the best defense against a cyber attack?

Friday, October 16, 2015

Alfonso Muñoz: "I investigate the hiding of executable code"

Alfonso Muñoz, second in command of CriptoRed.

Most of our readers possibly don't imagine a cryptographer like Alfonso Muñoz: handsome, 34, without glasses or suit, more hacker than nerd, works as "senior security consultant" in IOActive, a top world company in cybersecurity. "I was born and I live in Madrid, I'm familiar and quite homemade, I don't need too much to live. My physical integrity is defended by my dog, a "fierce" yorkshire able to crush any spy who tries to enter my house ;)" Only his nick, @mindcrypt, just reveals there's something "strange" in him.    

Alfonso entered in 1999 in the Polytechnic University of Madrid for the degree in Technical Engineering in Telecommunications. "I wanted to study something fast to earn a living. My family is the classic working class family who moved to Madrid looking for a better future". But he started to achieve the highest marks, enjoying it a lot, so he finished another career, Telecommunications, and afterwards the doctorate, and after a postdoc, entering many projects and even working as a teacher. But Alfonso is an uncut diamond and the walls of University become small to him. Here's him, just lifting his flight up.

The subterfuge in ATMs is constantly increasing

In the last years we assist to an increase of the attacks against these large metal containers which are the cash machines. Despite of their physic robustness, is demonstrated that they are vulnerable via software having slots to plug in things that should be not plugged in. We'll comment statistics about this topic, as well as a study which alerts about the careless of our privacy by the councils. And we'll finish travelling to USA where the greats of technology have disclosed against the CISA law and some researchers who have discovered the hole exploited by the NSA to spy us when we're browsing. 

The European ATM Security Team just presented a report where is demonstrated the rise of fraud in ATMs, with an increase of 18% in loss money (156 millions of euros) in the first half of the year, comparing it with the same period of the last year. Most of this fraud, 131 millions of euros, are attributed to “skimmers”: cameras and devices which copy our data when we introduce the credit card. USA and the Asian-Pacific region, specially Indonesia, are the most affected.

Thursday, October 15, 2015

They can hack your phone if you have Siri or Google Now activated

What would happen if your smartphone starts to browse by itself? If it texts or calls by its own? It seems impossible but a group of French researchers from the ANSSI agency has discovered how to do it. We'll also talk today about the police efforts to stop the Dridex bank trojan, the harmful security of the American Internal Revenue Service and an initiative to securize the routers, endorsed by outstanding eminences of the network.

The ANSSI researchers have discovered how to use radio waves to hack Siri in iPhone and Google Now in Android, provided that there are earphones connected to the smartphone. It’s a good moment to remind that Siri is activated by default in the iPhone. From here on, the attackers can do whatever they want with the smartphone: calls, send messages, browse, write on Twitter… The researchers have filmed a really creepy demonstration video.

Wednesday, October 14, 2015

Which Android smartphone is safer?

The increasing vulnerabilities discovered in Android are making the security one of the priorities when we go to buy a smartphone. A team of researchers of the Cambridge University has created a database of vulnerabilities which allows them to create a list of the safer Android devices. We'll talk about it, as well as other selected news of the day: a cyberattack to the South Korean subway, the upgrade of the most famous manual of cyberwar and a weapon to “kill” drones.
 Unsafe Android devices over time
87% of Android devices are unsafe according to, a situation which has been getting worse in a geometric proportion since 2011. The statistics generated by the project, through installed apps in volunteers devices, allow to make a ranking of more and less safe smartphones, being Nexus the most secure, followed by LG, Motorola and Samsung. The less secure are Walton (the worst), Symphony and Alps.

Tuesday, October 13, 2015

The biggest purchase in the technological history

The computer manufacturer Dell announced yesterday the biggest purchase in the history of technology, acquiring EMC by 59.000 millions of euros. EMC owns, among others, the veteran company RSA Security. What will be its future? That's the question today for many analysts. We'll also talk about the complicated implantation of the chip cards in the USA, the data robbery from the Wall Street Journal subscribers and how the police can assault your iPhone without using backdoors.

EMC is a company of storage system and data management. It owns, among others, VMware (virtualization and cloud), Mozy (backups) and RSA (security). Having Dell its own security company, SecureWorks, acquired in 2011, the question is if EMC will separate RSA or will integrate it with SecureWorks, creating a strong division of IT corporate security.

Sunday, October 11, 2015

Rampa: "Username / password credentials are outdated"

Ramón Martínez (Rampa). Hackers master.

In 1987 Ramon Martinez, from Monóvar (Alicante), wrote the first manual in Spanish about hacking and phreaking, under the alias Ender Wiggins. He was a member of the legendary group Apòstols and he organized at least two BBS, a meeting place for hackers then surfing X25 seas and assaulting machines connected there. Delgado, shy, nervous, visionary always 'on'... Ramp is now a child of 46 years, hacker likes it or not.

But when you have 3 kids you have to grow, or to look like that, so Rampa turned his BBS into the first commercial ISP of the 90s:: Encomix, one of the best in Spain at the technical level. It was so reliable that the world of finance trust him for the first online banks. In 1999 he sold his creation to an ISP in the United States for an exorbitant amount, bought a building and was devoted to what he liked: the music recording. After many laps today he's still leading the way, playing as always with the newest things.

Friday, October 9, 2015

A rival company would have stolen the Uber databases

It’s as old as the first network, but is still happening and many times we don’t realize when a company is attacked. We talk about the fights between rival companies, like the attacks of Denial of Services to incapacitate the customer service or the robbery of confidential information. This would have happened in Uber, according to a recent research we'll talk about. We'll also talk about a dangerous malware which is stealing credentials in the Cisco virtual networks, the small fortune paid by Microsoft to a hacker and a tool for web administrators to find out if their servers in the cloud are showing sensible information.

In May last year someone stole the database of the Uber company, which kept 50.000 drive licenses from their users. Some of them were sold in the Dark Net. Uber started a research which has just finished now, where an IP direction was tracked to a rival company, Lyft, concretely to its CTO, who has denied everything.

Thursday, October 8, 2015

Talking with the hackers who infected routers to make them safer

It's with no doubt the most heroic history of the current cyber security world: a mysterious group of nice hackers called The White Team, infects hundreds of thousands routers to securize them. When they were discovered, they published part of the source code of their malware and ensured: “We are nobody”. We'll start today with this beautiful topic, which will be remembered for a long time, to immerse in the habitual miseries: an online payment provider assaulted, phising vía Linkedin and an adware picking on Android users.

The Symantec researcher Mario Ballano discovered this curious malware, called Wifatch, which gets in the routers, IP cams and other devices with unsecure passwords and securizes them. Yesterday, when everybody was surprised after this amazing and altruist achievement, The White Team published in Gitlab the code and an auto-interview explaining why they did so and what they think was the result: “We are saving bandwidth deleting malware from routers and illegal programs of bitcoins mining, avoiding interruptions in services or the robbery of credentials and money". Well, thank you so much!

Wednesday, October 7, 2015

Tips to survive Safe Harbor

We've been for 24 hours under a flood of news about the derogation of the data exchange framework between USA and Europe, known as”Safe Harbor”. But as long as more than one signed the death of many companies, others have read the sentence closely to conclude that's not such a big deal. We'll talk about it, as well as the macro operation against a popular ransomware, the robbery of RSA passwords in the Amazon cloud and the annual convention of the Industrial Cyber Security Center. Here we go.

With Safe Harbor invalidated, the American companies can’t transfer personal data of European citizens to their systems, unless the affected give their personal authorization. This detracts quite a lot the messy of this topic, because the affected services will just add a paragraph to their use terms. The collateral victims of this will be the European companies which hire servers in the United States. These companies are now in big trouble.

Tuesday, October 6, 2015

How to hack the main bank of Denmark (almost) easily

First we have to say that most banks work hard to be safe in a so complicated environment like Internet. We know excellents experts in this field for who we could put our head in the block and open an account in their banks with no doubt. But there are many other examples, as an ethic Dutch hacker who browsed the Danske Bank has shown. We'll also talk today about a few problems in iPhones and the increasing use of the facial recognition to monitor us.

Sijmen Ruwhof explains in his blog what happened when he entered the web of the main bank of Denmark, Danske Bank, to slightly prove its security: vital information at sight, the possibility of access to other users cookies and, therefore, to their accounts, unsecure routed traffic… Luckily, Ruwhof says, when he warned the bank of these problems, they were solved in 24 hours.

Monday, October 5, 2015

#NNC5ed: We were at the congress of the year and we tell you everything

Pure hacker culture, Community, Humour, attitude, cyber security, Fraternity. All these tags could complement the official one, #NNC5ed, which coordinates two of the more important Spanish hacker conventions: Navaja Negra and ConectaCon. The ceremony was celebrated during a long weekend, from the past Thursday until Saturday, and more than 600 people went to have a great time. By the way: the hacker community increases also in gender, we have a 5% of women, more or less.

Van Hauser, giving hints to the hackers
One of the more crowded conferences was José Selvi's: “Delorean, back in time to steal information”. José Selvi, who was interviewed here recently, explained how manipulating the hour synchronization of the computers, a hacker could make them travel to the past to make HTTPS connections unsecure or recover expired certificates, opening a lot of opportunities to attack, which increases day by day since his first conference in the BlackHat. 

Sunday, October 4, 2015

The interviewer, interviewed: talk with Mercè Molist

She's usually at this side of the interviews. At this virtually hidden side, except for the small sign at the end of each talk with security experts. She has plenty of authority to sign these conversations, contacts and has cultivated almost since birth, because he is someone whose identity card should include "daughter of curiosity and commitment". If you want to know more details about it, google her. She tries to avoid traces of her personal life, but she can not do the same (and she should not try to), with her professional life.

In May 2012, she wanted to share why she fell in love with the hackers. We can not fit here all the reasons, but this link is the most valuable way to know about this love in detail. Nevertheless, let's take some few notes: "Because they are clever and genius, people with an endless curiosity, humor sense and they are voraciously critical, able to turn everything upside down (...) Hackers I love would not kill a fly (.... .) They do not steal or destroy. They snoop. They warn when there is a problem. A hacker, says a friend, is someone able to find an elegant solution to an important problem."

Many of them has been close to her these days, during an increasingly renowned event, at the city that Spanish writer Federico García Lorca called the New York of La Mancha. So, we didn't have interviewer for Sunday... Well, why not turn her into the interviewed one? Yes, she. The weekly nosy. Mercè Molist.

Friday, October 2, 2015

A scary Friday

This is a frightening… Friday. The arrival of the weekend will suppose more than a disgust to many companies. Today we focus on data theft, but also this Friday we’re worried about an undetectable ransomware, XSS vulnerabilities in Wordpress and even an one minute ephemeral glory for someone who bought the domain of in a mistake of the great G. A day more than “complete” to delight the fans of security.

A horrible new for T-Mobile when they have the confirmation of a data robbery which affects more than 15 millions of clients. The confirmation was made by the company Experian, the victim and one of the outsource companies which makes the data management of their clients. Although there's no risk about the financial data, the hackers stole names, addresses, birth dates, ID numbers and social security numbers. A jewel to prepare more sophisticated attacks with this information.

Thursday, October 1, 2015

Hacking with Spanish flavour

Read, practice and be constant. If you want to be a hacker and dedicate to computer security, forget collecting blogs, following an infinite list of Twitter accounts and seeing a few Youtube tutorials. This isn’t the way, but reading in depth, practicing as much as you can, and spending a lot of time. These are the advices of the Spanish hackstar Chema Alonso in his last video, which opens this post with an unusual 100% Spanish flavour. From Spanish cyber defense until cash dispensers. Olé.

“Through the years I receive a lot of petitions of advices about how to learn hacking or IT security”, says the famous expert of cyber security Chema Alonso, The Evil. A topic he wrote on countless occasions (for example, once, and once more, and once again), but he has so many petitions that he has decided to face them on video and explain not only his three main advices (read, practice, be constant), but also mention the basic book to start in this world, even making a tour along the blogosphere made in Spanish. Yes, he forgot us (CIGTR), but we don’t consider it this time ;-)