Thursday, December 31, 2015

The thing goes of compilations


Well, we are in the last day of the year. A year charged of news we tried to give you in the quickest and funniest way we could. A year enjoying the benefits of technology and warning about  their risk. An year's end we want celebrate with you as best we know: with a compilation of articles which are compilations of the hottest topics of this year, and we expect see in the next year.


Wednesday, December 30, 2015

Battlefield, the cyberspace


Matrix (1999) expose in a very clear way a incoming reality: the reality of the third environment, the cyberspace like a real battlefield.


Tuesday, December 29, 2015

The two faces of technology


The technology get the best and the worst of each people and each society. As soon as we are before an advance without precedents in the history of our community, we are before the biggest atrocity. And all of this thanks to the possibilities of the technology.


Monday, December 28, 2015

It's difficult not think badly



These times are to spend with the family, to take some gastronomic licenses and escape of the daily routine. But we don't forget the security challenges of all these system that surround us. And that's why we shouldn't leave the daily informative pill.



Sunday, December 27, 2015

Jorge Ramió: "There's a looming threat over critical infrastructures"

Jorge Ramió. Professor of security and criptography.

If there is an archetype of venerable university professor in Spanish computer security community, Dr. Jorge Ramió Aguirre is definitely that one, from the Department of Information Systems of the School of Engineering Systems at the Polytechnic University of Madrid (UPM). We may read on his personal website that he is just 64. His son is "also an engineer, MBA and deejay", as the doctor details via mail.

Small complexion, Dr. Ramió affectionately reminds us Speedy Gonzales because of the constant stream of energy he generously pours in the creation of interesting projects, which have put the UPM on the map of the Spanish hacker community. When George is not organizing a security conference, he is turning his crypto lab software into an eBook. Or imagining new multimedia lessons about who Alice and Bob were and what did they do with the keys. It's all public and free. Definately, it's really, really hard not to get passionate about this passionate man.


- How do you do to be always smiling?

- It Is the fact of being happy with what it's done. Knowing that you are contributing with something to the universal culture, even if slightly, something that will serve someone; being always with new projects to be thought and renewed. And obviously having a family that supports you, because they know that all this time dedicated to information sharing for free, makes me feel happy, helpful and fulfilled.

- Your most renowned project is Criptored.

- It was born on 1999 December 1, with the main objective of becoming a social network of computer security professionals, and a website to share information, not only in Spain but throughout Latin America. In February 2015 it reached over a thousand members, representing 23 countries, and in September a professional group on LinkedIn was created, up to 1,887 members in just three months.

During 16 years, Criptored has been leading various projects related security divulgation: 8 CIBSI congresses in different countries of Latin America, the visual encyclopedia of information security Intypedia, the first MOOC in Spanish Crypt4you, the Information Security Teaaching Map MESI, Thoth training pills, online training with leading experts as guest lecturers.It also has delivered for free more than 5 million documents on the Internet.

- Why did you turn it on?

- It waas born after a discussion via mailing list between several security proffesors in mid-1998, about which area of knowledge was most appropriate for teaching security and cryptography. I noticed that we were a good number of teachers excited and interested on exchanging our documentation, and I wondered why not to centralize all that effort on a webpage, since there were still no social networks.

Moreover, I saw that this could help many colleagues and friends from other universities in Latin America that were a few years behind Spain on issues like teaching information security. In recent years Dr. Alfonso Muñoz is colaborating with me, and from the beginning I'm so lucky that another university colleague, Mr. Daniel Calzada, is joining this project.

- What is the secret of that success?

- The love we put into things to go well, and something that has a very little value here in Spain: innovation. I show these three examples: The Intypedia project, born in 2010, was the first to teach security through videos with avatars and we are reaching 600,000 views on YouTube. We could not go on due to lack of sponsor. The MOOC Crypt4you 2012 was the first in Spanish and almost simultaneous with the start of the MOOCs in the United States, long before the MOOC's fever invaded the Spanish universities; it is an active project and we are also around 600,000 visits.

Finally, training pills Thoth with the financial support of Talentum Startups to pay interns and born in 2014, was one of the first of its kind and there is no other similar example in the Spanish language. Keeping the proper proportions, the closest would be Khan Academy, but the budget difference is astronomical. With over 30 published pills and 55,000 views on YouTube, the goal is to continue publishing at least one pill a month. These media scope in other countries could be considered worthy of an institutional support, but not here in Spain. Moreover, in the field of academic recognition this work is useless.

- When I talk to young professionals in computer security, college educated, they always tell me that they can only learn by practicing. Does that mean that college teaching is wrong?

- In security is very difficult to cover many aspects in two or three subjects, even in the best case that some college has those three subjects. And it get worse if we speak about practices. As there is not a longer route or expertise in security, in the end you have to choose to impart the basic knowledge on security, encryption, regulatory, security management, network security... and you can not give more, leaving out many other topics that are interesting for the performance of a professional security and, of course, most of those missing practices.

Due to the high demand for cybersecurity experts and interest of young people in everything about it, from a few years ago there should be a university degree in security, but no one dares to take the step, even when they are all crazy about security masters: there are already 26 in Spain, and growing up.

We have dozens of issues to make an excellent security engineering degree, but the trick is to have a dozen expert teachers, even more in the current situation of Spanish universities where there is no generational change. The young people and security experts can earn three to four times more in other sectors.

- Your projects Thoth, Intypedia o MOOC Crypt4you, using audiovisual and distance learning, are a sample of how you would teach security in universities?

- Yes, in fact the aim of Thoth project is to generate a large multimedia book that can encompass many issues of security and that, by itself, sets up a complete teaching tool. I usually use that material in my classes and is crystal clear that this is an added bonus. In fact, I know that there are teachers in Spain and Latin America who use Thoth pills and Intypedia lessons to start a topic and draw the attention of their students.

- You are also author of Information Security Teaching Map MESI. Is the security teaching well covered in Spain?

- We have made some huge progress in the last five years, reaching 229 subjects dedicated exclusively to security and 89 of them are required, what is already a great success, other 122 courses partially devoted to these issues and as I said 26 masters. There are always unfinished subjects to address current topics such as malware analysis, reverse engineering, machine audit, industrial security, forensics, pentesting, critical infrastructure security, APTs, etc.

- Each day we woke up with 3 or 4 serious security news. What are we doing wrong?

- Learn this maximum: security is never possible at 100% by nature. We talk about security as a dynamic process that adapts through continuous improvement, so nothing will ever be completely secure. On the other hand, it is much easier to destroy than to build.

The problem that lies ahead is the so-called cybersecurity environment, misnamed by some who confuse it with network and information technology security. Cybersecurity unites IT world with machines and industrial systems OT world. The main aspect is the control of equipment and systems from OT world by IT systems and devices. That's the origin of word cybernetics and therefore 'cyber'. That is the great threat on critical infrastructure, because we are not talking about my PC infected by a virus (80), or the corporate network destroyed by a worm (90), even not only failures in global networks and cybercrime (00 years), but the critical infrastructure of a country, whose damage can affect a large population and even cost lives (years 10).

Text: Mercè Molist

Thursday, December 24, 2015

A computer error frees thousand prisoners before time

3.200 Washington prisoners would have been released before time because a computer error, announced by the governor's office of this state. We'll talk about this, and a new data bank theft in hotels, the union of Google and Yahoo! in a trial to eliminate the passwords and a very geek gift recommendation: a device to spy mobile phones. Let's start.



The problems in the informatic systems of incarceration facilities and it started when, by order of the Supreme Cort, the prisoners started to recieve credits of good behaviour. The change in the code caused the entering of a wrong sequences, which started to give more credits than they should to some prisoners, allowing them to be released with an average of 49 days earlier. In all, the 3% of all the releases from 2002. What we think is more serious is the error which was discovered in 2012, but it wasn't fixed until a new CIO entered in the department and notice it.


Wednesday, December 23, 2015

Oracle must help its users to destroy old Java versions

It's the first time that the powerful Federal Trade Commission of Unite States admonishes a software manufacturer for irregularities in their security updates. The "winner" is the giant Oracle and we'll see why. We'll talk about the Jupiner case and its relation with the Encryption Wars and about one of the Sweden researchers who has cracked the quantum cryptography. 



The FTC accuses Oracle for making fake statements regarding Java SE security, ensuring the system was safe after the security updates when, actually,  the process didn't erase the old an unsafe versions, installed in the computers, being a serious security problem. Oracle will help its clients to uninstall this old versions or it will face a fine.


Tuesday, December 22, 2015

Careful with mediatic intoxications about SCADA attacks in 2016

Today is the main new in the majority media specialized in cybersecurity: Iranian mercenaries would have assaulted and stolen information of a dam and an electric grid of Unite States. All the world are worried but some experts who said is sensationalism. We'll talk about this, and also the analysis to bank apps on iOS, a drug case in the Dark Web and the multiple possible attacks against... a bulb, yes.



Welcome to the advance of what we possibly see in 2016: the media, with the respectable Washington Post at the head, denounce an attack against a dam and an electric grid of Unite States and they point as guilty to computer mercenaries paid by Iran. Robert M. Lee, instructor in the course of critical infrastructures in SANS, ensures that there's too much sensationalism in the new and the planes wouldn't have been stolen of the dam systems but the contractor's computer. Read this.


Monday, December 21, 2015

Who put the backdoors in the Juniper's firewalls?

"Rapid7 has discovered a master password in one of the Juniper's firewalls backdoors. We hope it´ll soon appear an exploit on Metasploit. Patch now". This warning runs today in the cybersecurity neighbourhood on Twitter. The last Friday we warned about this serious problem and it has worsened during the weekend. We'll talk about this, and the warning made by Edward Snowden regard to Telegram, the approval of the CISA law in the Unite States and a new code to warn about legal problems in a website.



If this Friday we talked about a backdoor in Juniper devices, leader in corporate firewalls market, today we know there are two: one of them allows decoding VPN and the other one opens SSH to the attackers. Also, the company Rapid7 has discovered a password that would allow to open easily the SSH connections. Who put it there? Juniper denied it, while a lot of people remember a secret file unveiled by Snowden where he showed a NSA tool to put backdoors in Juniper's firewall. Was it the NSA? Or another government, who advantaged the hole made by the NSA?


Friday, December 18, 2015

If you use Outlook, be safe from "bomb emails"

The last round of patches for Outlook has revealed a serious risk for their users: malicious attachment can activate it only opening the mail, making unnecessarily clicking on them. We'll talk also about an important backdoor in Juniper firewall, about a big polemic which faces Facebook against a researcher and about the catalogue of devices used by the government to spy our telephonic communications.



Microsoft published the patch for this vulnerability the 8th of December, but until now we haven't got more details about this scary menace which allows to an attachment avoid all the Outlook controls and activate itself  without clicking on it. They must update this as soon as possible. It´s a specially sensible hole to corporate environments, where a simple attachment can hide the beginning of an important case of industrial spying or bank data theft.


Thursday, December 17, 2015

There're 35.000 unsafe data bases on Internet and increasing

"In this moments there're at least 35.000 MongoDB data bases available publicly, without authentication, on Internet", has written the founder of Shodan search engine, after the recent data theft of 13 millions user of MacKeeper. We'll explain this information and also the data about the global increase of data bases thefts, a serious failure in the launching of Linux and the last adventure of the popular iPhone hacker George Hotz.



John Matherly, founder of Shodan, has written on his blog the number of unsafe MongoDB data bases on the network has increased in 5.000 since the last time counted, in July. Today are 35.000, hosted mainly in Amazon, Digital Ocena and Aliyun (Alibaba). The principal problems in these data bases are the non-update to new versions and safer configurations and the unused of firewalls.


Wednesday, December 16, 2015

Blackmails by postal mail against Ashley Madison users

Today we talk about a big data robbery, the robbery on Ashley Madison, an important security failure in Joomla and another one in FireEye.


A security breach it's a big thing. Ask to users of the Ashley Madison web, which suffered the data robbery of thousand clients in summer. Given the sensible nature of the data stolen, which contains data about preferences and sexual contacts, some users have been blackmailed. The last thing are the blackmails by postal mail: they send a letter to their home asking thousand dollars in exchange of not revealing this information..


Tuesday, December 15, 2015

The security of the unnoticed


We see every day how apparently secure services fall. From antivirus systems, going through e-commerce, toys and even critical infrastructures. There's no limit to the aspirations of an intelligence agency or a cybercriminals group.


Monday, December 14, 2015

Yin-yang of cybersecurity

One thing is "who watches the bad guys" and another thing is "who the good ones are watching". It is not the first time, nor the last, that we ponder these questions. But today is one of those days that both issues may be posed. And be aware: if someone performs bad behaviour, another one with more skills would take advantage of this, and the first one will pay for both. That is, bad guys can mislead good ones by thinking that the bad guys are others. What's more: if they can do it, they will do it.
Twitter warns: there are cybercriminals spying on users, cybercriminals from... Government services, such as the US Government, and who knows if some other government. They want to get all of you: your phone number, your e-mail, your messages. Everything. Twitter has the evidence that is so, but is unable to confirm or deny whether the "agents" have achieved such purposes. Twitter has noticed affected users, and for all we know, you can find "sweet" profiles as journalists and security experts.


Sunday, December 13, 2015

Pablo F. Iglesias: "Massive tracking does not help against terrorism"

Pablo F. Iglesias. Digital watchman.


If you look for Pablo F. Iglesias in Google you will find his Twitter account, his website, his Linkedin account, his YouTube account, his About.me profile, his Facebook profile and another one on Google+. There are a lot of Pablo Iglesias in the world, but this one is a 'crack' of the social Internet and that is why he occupies the first page Google. And what are we doing talking about him, when this is a computer security blog? OK. Pablo also manages about it, hugely.

Pablo AKA PabloYglesias, was born 28 years ago in Mieres, a small mining town of Asturias. He studied Telecommunications Engineering degree, but the third year he was so bored and turned for Fine Arts. Affable man, proud dad of two cats, the beard can not hide his good person face. He works on analytical and digital surveillance for SocialBrains and advises SMEs on what is called "digital transformation". He still has time to write on his blog, placed just fourth in the Spanish Bitácoras' Blogs Awards for Best Information Security Blog.


Friday, December 11, 2015

One in three corporative computers have been attacked in 2015

The 58% of the corporate computers have been attacked in 2015, because in the 41% of the cases the malware avoid the antivirus. This is only one of the frightening numbers showed by the annual study of Kaspersky Lab about corporate security. We'll talk about it and about the infection of a text from "The Guardian", about thousands of immobilizer of  insecure cars and about the little interest of Dutch Phone House in the security of their clients.




The corporate computers are thrice more susceptible of attacks than the domestic computers according to the annual report of Kaspersky.  One in three corporate computers has suffered a web attack in 2015, in a world where the browsers and the web are now the main entrance of malware and where the ransomware increase quickly. Worth the read.


Thursday, December 10, 2015

Another media infects their visitors

Before were "The Economist", "Daily Mail" or "Reader's Digest". Now "The Independent" has been attacked and they served malware to their visitors. We'll talk today about DDoS attacks, the renovated investigations about who would be the Bitcoin father and about how easy is manipulate the black box of a ship.


We're living a campaign of infection on Wordpress sites, that in turn infect to their visitors. The campaign use the exploit kit Angler and the malware usually is ransomware, although it has seen bank Trojans. Some medias has fallen and now it has been "The Independent", which would have infected to visitors who use old versions of Flash.


Wednesday, December 9, 2015

Your car can be hacked, but you can't denounce the manufacturer

Unless the car suffer damages or an accident, you can't denounce the car manufacturer only because it has software failures. This is the judgement dictated by a judge in the United States and we recommend it today as the interesting new of the day. We'll also talk about an initiative of the same government to ensure the critical infrastructures, and a training exercise about cybersecurity for insurers. We'll finish with the bravery of a bank that refused to pay the blackmail of a cybercriminal. 

Image courtesy of Kaspersky Lab
The companies Ford, General Motors and Toyota had been defendant because different models of their cars had software failures that can be used by a hacker to take the remote control of the vehicle. The judgement says that, although it can happen, it hasn't happened yet,  and he can't sentence the companies for something that hasn't happened. We'll see if this judgment applies in the rest of the World. We suspect it would.


Tuesday, December 8, 2015

Cyber-steroids and digital hormones

And what if it's all a matter of steroids? It may seem not, but we refer to information security. New malware come with too much hormones, as if going to a hard session at an elite fitness gym, able of anything (and never good). And on the other hand, who are devoted to protect should also swallow lots of hormones to prevent, to research or to regulate. The difference between them is that breaking and destroying was always easier than fixing and rebuilding. Since the world began.
Today we face a new strain of malware designed to steal payment card data. It is nothing new under the sun, right? Well, now you must add that this malware, called Nemesis, is not only difficult to detect but also to remove. On top of that it comes packed with some skills. Among them, it is able to implement bootkit functionality, that kind of bootkit that gets installed in the warmth of your BIOS, so if someone thinks on reinstalling OS as the "magic formula"... well, it doesn't work like that. You can read the whole story on Pierluigi Paganini's blog, who echoes the finding from experts at FireEye.


Monday, December 7, 2015

If you have failed, react

If there is a kind of companies which are compromised by security mistakes, are those dedicated to cybersegurity. It´s like if a car´s brakes stop working, a judge takes an arbitrary decision or a lamp streals light instead of illuminating.   It´s an all levels crisis: corporate, reputational and turnover maybe. Except if they react instantly, as it happens on today´s case  This is one of the four issues that can not go unnoticed this Monday 7th of December. 



It was the McAfee company itself, part of Intel Security, which issued this warning: their companies oriented product Enterprise Security Manager (ESM) shows an authentication failure at admin level. That means in certain circunstances, an attacker could acces to NGCP, which is the username created by default on the first installation, without needing to check the password. The firm has inmediatly published an update patch, and recomends to apply it without delay, but also provides some tips in case you can not apply the update.


Sunday, December 6, 2015

David Barroso: "States will have less and less prominence"

David Barroso"Jack of all trades and a master of none".


David Barroso is one of the most intelligent hackers on the infosec community. He uses to say he spent 24 hours a day on his passion/job and we suspect ti´s true, because the many books he reads about the topic, how many people he knows on the international scene or the quality of the information he publishes on his Twitter account. In 1995 he started the university an his adventure on the infosec world. Today he is 38 years old, the best age to fund a startup, what´s exactly whats he´s doing. 

David looks handsome on his suit and he has travelled all around the world on business, but not many know he´s a real hacker, very active on the change of millennium infosec underground. He´s the author of exploits and tools like the famous Yersinia, created as a twosome with his friend Alfredo Andrés, which is nowadays the only one able to lump various layer 2 attacks. We herd Chema Alonso, Eleven Paths CEO, saying once "When I want new ideas, I ask to David Barroso".


Friday, December 4, 2015

Be careful with who do you accept in Linkedin

New advice coming from Symantec this time, it´s about fake profiles in Linkedin used to get access to your contacts and gather intelligence for different attacks. Today we´ll talk about bugs on most of the mobile apps, of a new ransomware campaign which steals passwords too and about the kick off  of the new Let´s Encrypt initiative, welcomed by the infosec community.



Be careful wit beautiful women assuring to be recruiters from many employment companies. They could be fake profiles created by cyber criminals who what to access our professional contacts in order to gather intelligence. Their objective could be spearphising attacks to inject blackmailing malware or spying in their victims computers. Symantec warns that this fake profiles can be found on every professional sector and not in infosec only, as it was detected on the first wave.


Thursday, December 3, 2015

Advices for buying "intelligent devices" this Christmas

Verify if the device really needs connexion to Internet, if it includes security measures in the manual or if the seller has good reputation are some good advices offered by the European organism of cybersecurity, ENISA. We'll give more advices and we'll talk about 0day regulations, about technological failures in planes and about the 7th birthday of  the Conficker worm, which after 7 years is still installed in thousands of computers.


ENISA has just published a deep report about the Internet of Things with security recommendations for builders, installers and users too. Change passwords regularly, disconnecting the device form Internet when it´s not needed, using cable connections better than wifi ones, making a proper privacy config or updating when possible are the most basic security advices. The publishing of this manual coincides with the announcement of closer links between The Home Land Security Department of the USA and Sillycon VAlley companies to reach an agreement about hou to improve the security of the Internet of Things.


Wednesday, December 2, 2015

The "cyber bad guys" don't respect neither the kids

The data robbery in the company VTech increasingly as days go by. Today we know not only 200.000 were affected but more than 6 millions and in the stolen data there were photos. The Electronic Frontier Foundation (EFF) and Google have another open front related with kids: The first charge against the second of monitoring the people who use their learning platform. And after all these mess, we'll finish with a new hope: the Let's Encrypt project, which starts to work tomorrow.




Media around the world, not only dedicated to Internet, talking outraged these days about the data robbery to kids and their parents, clients of the Hong Kong company VTech. Meanwhile, the causes of these indignation are increasing: yesterday we known the affected weren't thousand, but 6,4 millions of kids and 4,8 millions of fathers, being the most affected countries Unite States, France, Great Britain and Germany. This data was given yesterday by the company, after too many "administrative silences", seeing they can't manage this.



Tuesday, December 1, 2015

2,3 millions were stolen to a woman in love of the wrong cyberman

Falling in love online is one of most addictive and dangerous things you can do in the virtual world. The minimum that could happen is the loved person doesn't like how we imagine him when we finally met him in person. The worst thing that could happen is the loved one is a fraudster, like the case of a British woman and many others. We'll warn today about this and also about the increasing of bank attacks, about a curious complaint for using HTTPS and we'll provide you a new and interesting video of the past CyberCamp edition.

                                    

Sometimes we use this informative service to talk only about high cibersecurity, great attacks to companies or championship hacks, but we forget a very important section of victims of the cybercrime who are the ordinary people. Today we redeem us talking about the case of a British woman who lost 2,28 million of euros, defrauded by two men whom she met in a dating website on Internet. According to the police, it´s a frequent fraud but many times isn't reported because it´s a tricky question. From here we encourage the victims to report it.