Convergence isn’t a new fact in information security. For a while, we’re speaking about “security convergence” while two, at the beginning, distinct principles or functions are mixed to tend toward or achieve union or a common conclusion or result (as defined by Wikipedia). A good example is the combination of physical and logical security controls: to improve the authentication and authorization processes, we can use two different factors: something we “know” (a PIN, a password) and something we “have” (a token or smartcard). Security convergence is also used to detect incidents or suspicious activies. You could correlate data generated by a badge reader (physical security) with an Active Directory event (logical security). A user who swiped his badge to enter the building “A” but opening a session on a desktop located in the building “B” can be considered as suspicious.

Today, I read an interesting news reported on Twitter. It was published by the Dutch portal, transport-online.nl, which compiles news about freight. Nothing related with information security at first sight but quite interesting anyway. The portal reported that drug criminals hacked two containers terminals websites. Those companies operated in the port of Antwerp. Why? Today, computers control more and more infrastructures and containers are not an exception. Every container can be tracked throughout its journey: when it was (un)loaded on boats, trains or trucks. Where it was stored (position), etc. Such information can be very valuable for criminals, especially, if they contain drugs. Hackers used the infiltrated systems to locate their precious goods.

This is a very good example of “crime convergence“: To achieve their goals, criminals do not hesitate to mix regular crime activities with cyber-crime. I’m pretty sure that the two hacked companies would never have imagined to be a target for cyber criminals (“Hey, who will be interested by the position of our containers?“). Don’t forget that data handled by your organization might be very valuable for some people with bad intentions.

Here is a link to the article: Drugshandelaren hacken rederijen en ontvreemden containers met cocaïne (in Dutch – translation in English here).

 

BlackBerry has issued a security advisory to customers who have purchased the company's Z10 smartphone—the flagship device of BlackBerry's relaunch in February. A bug in the system designed to help users find their lost cell phone could be used to gain access to the phone, either physically or over Wi-Fi.

The bug isn't in the BlackBerry 10 OS itself, but in the BlackBerry Protect application. A malicious application could take advantage of weak permission controls in BlackBerry Protect to reset the password on the Z10 or prevent the phone's owner from remote-wiping it when the phone is lost.  If an attacker has the phone in hand, the bug in Protect could be used to gain access to the phone's functionality and the owner's personal data; the bug and a malicious application could be used to expose the phone over Wi-Fi and allow a user to pilfer files from the device.

BlackBerry (the company formerly known as Research In Motion) went out of its way to get its Z10 smartphone and the BlackBerry 10 operating system certified as secure well before launch, getting the US government seal of approval with FIPS 104-2 certification last November. The company is downplaying the immediate risks of this vulnerability, as there is no known exploit using the bug in the outside world and the worst risks require a combination of a user installing a malicious application and then an attacker gaining access to the phone. The Wi-Fi attacks are only possible if the device's owner has turned on Wi-Fi access.

Read on Ars Technica | Comments

07/09/2013 - As part of the SHRP2 Tuesdays Webinar Series, TRB will conduct a webinar on July 9, 2013 from 2:00 p.m.- 3:30 p.m. ET that will explore how streaml...(author unknown)

This finally explains what John Ellis was talking about in "The Possibility of Non-Secret Encryption" when he dropped a tantalizing hint about wartime work at Bell Labs.

schneier

Integrated authenticator simplifies interconnect complexity in medical sensors and industrial applications(author unknown)

Boldon James Classifie delivers data classification in order to prevent highly sensitive information from entering the public domain(author unknown)

Están siendo unos días más bien revueltos en el mundo underground, hace un par de semanas los ciberdelicuentes se despertaban con su querido Lyberty Reserve (LR) cerrado y sus administradores detenidos por la policía española en Barajas.  Os podéis imaginar la reacción de los carders, spammers, botmaster y phishers al ver esfumarse de golpe los fondos que con tanto esfuerzo habían almacenado en este proveedor de pagos, de moral más bien relajada. 
Esta operación, junto con el desmantelamiento del bullet-proof ISP McColo en 2008, probablemente ha sido el golpe más importante hasta la fecha contra el ecosistema de la delincuencia online. A fin de cuentas cuando la policía detiene una banda, siempre hay otra deseando ocupar su lugar; y si la industria de seguridad desmantela una botnet, en pocos meses aparece otra nueva. Sin embargo la desaparición de LR ha sido algo distinto y el vacío que deja, no es en absoluto fácil de rellenar 
Lyberty Reserve no se limitaba a transferir dinero, como los archiconocidos Western Union o Money Gram. También operaba como un banco anónimo  en el que muchos ciberdelincuentes  almacenaban sus ganancias ilícitas y lo utilizaban como punto de partida para blanquearlas. Parece claro que después de este cierre, aunque apareciese un nuevo actor con medios suficientes para montar una infraestructura estable y segura, le sería muy difícil ganar la confianza del público.
Aunque  en algún foro existen propuestas para replicar la estructura de LR en servidores de Corea del Norte o Irán, lo cierto es que ahora mismo en la mayoría de foros under está  abierta la discusión respecto a qué moneda virtual es la más adecuada para sustituir al defenestrado LR. Como no podía ser de otra forma, Bitcoin, está en boca de todos, y de hecho es habitual en los foros y tiendas TOR dedicadas a venta de drogas y precursores. Sin embargo la criptomoneda no convence a muchos ciberdelincuentes como medio de pago y colchón para los ahorros. Y para ello emplean los mismos argumentos que aparecen en cualquier discusión sobre Bitcoin, (volatilidad del cambio, posibilidad de que sea un Esquema Ponzi, ausencia de una entidad que lo respalde...). Finalmente todo apunta a que el ganador de la situación va a ser nuestro viejo amigo Webmoney. Este proveedor conocido popularmente como "la alternativa rusa a Paypal" posee numerosas ventajas: 

• Una infraestructura mayor que la de LR 
• Fuerte implantación en países del este, donde incluso pueden adquirirse fondos mediante tarjetas prepago 
• Recientemente ha añadido Bitcoin a la lista de divisas que acepta. Lo cual facilita realizar saltos entre sistemas monetarios, tan útiles cuando de se trata de blanquear dinero.
• Y por supuesto, los parabienes de la administración rusa. Que alejan el fantasma de un cierre repentino.

En su contra, tiene la relativa dificultad de abrir cuentas anónimas fuera de países del este y que recientemente han prohibido la apertura de nuevas cuentas a ciudadanos americanos para evitar problemas con el FBI. En resumen nada que no pueda evitarse usando proxys, documentación falsa y otro trucos disponibles a un click de  distancia.

Javier Barrios 
S21sec ecrime

noreply@blogger.com (S21sec Labs)

Event Related

• Workshop on the Economics of Information Security 2013 – lightbluetouchpaper.org
  I’m liveblogging WEIS 2013, as I did in 2012, 2011, 2010 and 2009. This is the twelfth workshop on the economics of information security, and the sessions are being held today and tomorrow at Georgetown University.
• Stupid Little IPv6 Tricks – isc.sans.edu
  With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of “stupid little IPv6 tricks/topics”. Let me know what issues you are running into as well.

Resources

• Volume Shadow Copy NTDS.dit Domain Hashes Remotely – Part1 – room362.com
  Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance?
• The Value of a Hacked Email Account – krebsonsecurity.com
  This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.
• Category:OWASP Top Ten Project – owasp.org
  The OWASP Top 10 for 2013 is now officially released as of June 12, 2013.
• Symantec Intelligence Report: May 2013 – symantec.com
  For starters we’ve taken a look at data breaches. Symantec and the Ponemon Institute have just released their annual Cost of a Data Breach report, which covers trends seen in 2012.

Techniques

• Modifying Mimikatz to be Loaded Using Invoke-ReflectiveDLLInjection.ps1 – clymb3r.wordpress.com
  This is a follow up to my article about reflectively loading DLLs using PowerShell. This will walk you through the relatively simple process of modifying mimikatz to be loadable using the reflective DLL loader to dump passwords.
• Steps Toward Weaponizing the Android Platform – zitstif.no-ip.org
  In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you’re looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help.
• Sometimes, The PenTest Gods Shine On You – blog.spiderlabs.com
  Settling down for a hacking session usually means lots of hard work and a long grind towards target data. You’ve got to juggle a large stack of systems and testing constraints, all while learning about the environment from the ground up. You can spend 3 hours trying to land a shell on a box, just to find it gets you nowhere. However, sometimes a beautiful beam of light shines down from the heavens and opens up a door or two for you (or maybe its just the sun reflecting off of something in my office, either way).
• Video Tutorial – Installing Kali Linux on Bootable, Persistent USB – community.rapid7.com
  This video covers the installation of Kali Linux on a USB drive. Additionally, setting up persistence on a separate partition is reviewed including how the persistence works. A Kali Linux virtual machine is used to create the USB.

Vendor/Software Patches

• Novell Zenworks MDM: Mobile Device Management for the Masses – console-cowboys.blogspot.com/
  I’m pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the ‘Zenworks’ group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.
• Adobe, Microsoft Patch Flash, Windows Krebs on Security – krebsonsecurity.com
  Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products.
• Assessing risk for the June 2013 security updates – blogs.technet.com
  Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Vulnerabilities

• The most sophisticated Android Trojan – securelist.com
  Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

Other News

• Edward Snowden
  • NSA Contractor Outs Himself as Source of Surveillance Documents – wired.com
    Edward Snowden, a former computer security administrator for the CIA and current contractor for the NSA, has outed himself as the source of a string of explosive documents describing NSA surveillance activities against U.S. citizens and foreign targets.
  • Edward Snowden: the whistleblower behind the NSA surveillance revelations – guardian.co.uk
    The 29-year-old source behind the biggest intelligence leak in the NSA’s history explains his motives, his uncertain future and why he never intended on hiding in the shadows.

Event Related

• Workshop on the Economics of Information Security 2013 – lightbluetouchpaper.org
  I’m liveblogging WEIS 2013, as I did in 2012, 2011, 2010 and 2009. This is the twelfth workshop on the economics of information security, and the sessions are being held today and tomorrow at Georgetown University.
• Stupid Little IPv6 Tricks – isc.sans.edu
  With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of “stupid little IPv6 tricks/topics”. Let me know what issues you are running into as well.

Resources

• Volume Shadow Copy NTDS.dit Domain Hashes Remotely – Part1 – room362.com
  Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance?
• The Value of a Hacked Email Account – krebsonsecurity.com
  This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.
• Category:OWASP Top Ten Project – owasp.org
  The OWASP Top 10 for 2013 is now officially released as of June 12, 2013.
• Symantec Intelligence Report: May 2013 – symantec.com
  For starters we’ve taken a look at data breaches. Symantec and the Ponemon Institute have just released their annual Cost of a Data Breach report, which covers trends seen in 2012.

Techniques

• Modifying Mimikatz to be Loaded Using Invoke-ReflectiveDLLInjection.ps1 – clymb3r.wordpress.com
  This is a follow up to my article about reflectively loading DLLs using PowerShell. This will walk you through the relatively simple process of modifying mimikatz to be loadable using the reflective DLL loader to dump passwords.
• Steps Toward Weaponizing the Android Platform – zitstif.no-ip.org
  In this article I will be covering ways that one can turn their Android based device into a powerful pocket sized penetration testing tool. If you’re looking to do wireless sniffing or packet injection with your Android based device, this article will be of little help.
• Sometimes, The PenTest Gods Shine On You – blog.spiderlabs.com
  Settling down for a hacking session usually means lots of hard work and a long grind towards target data. You’ve got to juggle a large stack of systems and testing constraints, all while learning about the environment from the ground up. You can spend 3 hours trying to land a shell on a box, just to find it gets you nowhere. However, sometimes a beautiful beam of light shines down from the heavens and opens up a door or two for you (or maybe its just the sun reflecting off of something in my office, either way).
• Video Tutorial – Installing Kali Linux on Bootable, Persistent USB – community.rapid7.com
  This video covers the installation of Kali Linux on a USB drive. Additionally, setting up persistence on a separate partition is reviewed including how the persistence works. A Kali Linux virtual machine is used to create the USB.

Vendor/Software Patches

• Novell Zenworks MDM: Mobile Device Management for the Masses – console-cowboys.blogspot.com/
  I’m pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the ‘Zenworks’ group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.
• Adobe, Microsoft Patch Flash, Windows Krebs on Security – krebsonsecurity.com
  Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products.
• Assessing risk for the June 2013 security updates – blogs.technet.com
  Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Vulnerabilities

• The most sophisticated Android Trojan – securelist.com
  Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated.

Other News

• Edward Snowden
  • NSA Contractor Outs Himself as Source of Surveillance Documents – wired.com
    Edward Snowden, a former computer security administrator for the CIA and current contractor for the NSA, has outed himself as the source of a string of explosive documents describing NSA surveillance activities against U.S. citizens and foreign targets.
  • Edward Snowden: the whistleblower behind the NSA surveillance revelations – guardian.co.uk
    The 29-year-old source behind the biggest intelligence leak in the NSA’s history explains his motives, his uncertain future and why he never intended on hiding in the shadows.

You may have missed this jewel of an infosec post by Rich Mogull amid the hashtag avalanche of NSA, PRISM, or FISA articles last week. Rich's post, Apple Security Strategy: Make It Inivisible, impressed me as shedding light on singularly important design objectives that all information security efforts ought to consider. The post is both a really insightful article about Apple's security design and philosophy, and a learning opportunity for security designers or practitioners generally. Among the many insights Rich shares, these three messages in particular could form the basis for secure implementation or deployment: "Good user experience doesn't have...

You may have missed this jewel of an infosec post by Rich Mogull amid the hashtag avalanche of NSA, PRISM, or FISA articles last week. Rich's post, Apple Security Strategy: Make It Inivisible, impressed me as shedding light on singularly important design objectives that all information security efforts ought to consider. The post is both a really insightful article about Apple's security design and philosophy, and a learning opportunity for security designers or practitioners generally. Among the many insights Rich shares, these three messages in particular could form the basis for secure implementation or deployment: "Good user experience doesn't have...

Back in the old days, when security was much more of an afterthought, it was obvious that miscreants were familiar [...]Kevin Timm

There's one piece of blowback that isn't being discussed -- aside from the fact that Snowden killed the chances of a liberal arts major getting a job at the DoD for a decade -- and that's how the massive NSA surveillance of the Internet affects the US's role in Internet governance.

Ron Deibert makes this point:

But there are unintended consequences of the NSA scandal that will undermine U.S. foreign policy interests -- in particular, the "Internet Freedom" agenda espoused by the U.S. State Department and its allies.

The revelations that have emerged will undoubtedly trigger a reaction abroad as policymakers and ordinary users realize the huge disadvantages of their dependence on U.S.-controlled networks in social media, cloud computing, and telecommunications, and of the formidable resources that are deployed by U.S. national security agencies to mine and monitor those networks.

Writing about the new Internet nationalism, I talked about the ITU meeting in Dubai last fall, and the attempt of some countries to wrest control of the Internet from the US. That movement just got a huge PR boost. Now, when countries like Russia and Iran say the US is simply too untrustworthy to manage the Internet, no one will be able to argue.

We can't fight for Internet freedom around the world, then turn around and destroy it back home. Even if we don't see the contradiction, the rest of the world does.

schneier

Software developer Anthony Goubard may be one of the most ambitious DIYers on the planet. How else can you explain it? One man looks across the landscape of productivity suites—from Microsoft Office to LibreOffice to Google Docs—and says: "I'll just make my own."

Tags: Software-Programmingl33tdawg

Contrary to popular belief, the Electronic Entertainment Expo, known as E3, was alive and well, this year. But the rise of Ouya, Steam Box, and GamePop later this year could mark the end of an era. With relatively small revenue generated by a typical open-source game, indie developers simply won't be able to afford to go.

At the same time, there's going to be more and more of them, playing a huge part in the gaming ecosystem.

Tags: GamesIndustry Newsl33tdawg

The U.S. government searched for detailed information on calls involving fewer than 300 phone numbers last year, according to an unclassified document circulated Saturday.

The paper said such searches -- part of two controversial U.S. intelligence gathering programs -- led to two men allegedly plotting to attack New York City's subway system, Reuters reported. The data, which the Associated Press reported is destroyed every five years, thwarted terrorist plots in the U.S. and more than 20 other countries.

Tags: PrivacySecurityUSl33tdawg

Facebook and Microsoft each fielded thousands of requests for user data as part of law enforcement investigations from U.S. authorities in the second half of last year, they said late Friday.

Tags: PRISMPrivacyFacebookMicrosoftl33tdawg

Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy.

According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Tags: JavaSecurityOraclel33tdawg

The consumer electronics market is being flooded with devices that have incredible high-resolution screens.

All the new iPhones and high-end Android phones have them. The 10-in. iPad has one, as do the Archos 97 Titanium HD, Onda V972, Freelander PD80, Ainol NOVO9 Spark, Cube U9GT5 and others.

Tags: Hardwarel33tdawg

Australian intelligence agencies have reportedly recieved "huge volumes" of "immensely valuable" intelligence data from the US, including from its PRISM program.

The PRISM programme came to light after a US Booz Allen staffer leaked a powerpoint presentation to the Washington Post and the Guardian which detailed how the US was spying on the communications of foreigners without use of a warrant.

Tags: PRISMNSAPrivacySecurityAustralial33tdawg