Feed aggregator

New DEF CON Torrent Page!

Security blogs - Sáb, 06/08/2013 - 16:32
Have you ever gone to download some of our content, and said to yourself, "I wish there was a torrent of all this..."? Well now there are 20 years worth, and then some! Check out the new DEF CON Torrent Page, and start sucking down the data in massive chunks to your heart's content! Enjoy!(author unknown)
Categorías: Bundle Security blogs

Friday Squid Blogging: Squid Comic

Security blogs - Vie, 06/07/2013 - 19:35

A squid comic about the importance of precise language in security warnings.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

schneier
Categorías: Bundle Security blogs

Behold, the world’s most sophisticated Android trojan

Security blogs - Vie, 06/07/2013 - 18:00
greyweed

Recently discovered malware targeting Android smartphones exploits previously unknown vulnerabilities in the Google operating system and borrows highly advanced functionality more typical of malicious Windows applications, making it the world's most sophisticated Android Trojan, a security researcher said.

The infection, named Backdoor.AndroidOS.Obad.a, isn't very widespread at the moment. The malware gives an idea of the types of smartphone malware that are possible, however, according to Kaspersky Lab expert Roman Unuchek in a blog post published Thursday. Sharply contrasting with mostly rudimentary Android malware circulating today, the highly stealthy Obad.a exploits previously unknown Android bugs, uses Bluetooth and Wi-Fi connections to spread to near-by handsets, and allows attackers to issue malicious commands using standard SMS text messages.

"To conclude this review, we would like to add that Backdoor.AndroidOS.Obad.a looks closer to Windows malware than to other Android trojans, in terms of its complexity and the number of unpublished vulnerabilities it exploits," Unuchek wrote. "This means that the complexity of Android malware programs is growing rapidly alongside their numbers."

Read 6 remaining paragraphs | Comments

Categorías: Bundle Security blogs

64 Percent Of IT Professionals Are Blind To Corporate Application Access

Security blogs - Vie, 06/07/2013 - 17:59
Symplified research shows how corporate policies may be making enterprises more vulnerable than ever before(author unknown)
Categorías: Bundle Security blogs

Top Sites Revealed In 2013 Online Trust Honor Roll - Twitter Leads List

Security blogs - Vie, 06/07/2013 - 17:55
Social media sites outpaced other categories in garnering top honors(author unknown)
Categorías: Bundle Security blogs

PCI Security Standards Council Updates Standard For PIN Transaction Security

Security blogs - Vie, 06/07/2013 - 17:46
Version 4.0 of the PTS POI requirements focus on increasing robustness of devices through enhanced testing procedures(author unknown)
Categorías: Bundle Security blogs

Audio Interview with Me

Security blogs - Vie, 06/07/2013 - 17:22

In this podcast interview, I talk about security, power, and the various things I have been thinking about recently.

schneier
Categorías: Bundle Security blogs

Under draft bill, EU wants to raise jail time for hackers, botnet operators

Security blogs - Vie, 06/07/2013 - 15:20

On Thursday, a European Parliament committee approved a new draft directive (PDF) that would, among other things, require European Union member states to step up criminal penalties for hacking, botnets, and other digital malfeasance.

Under EU law, directives are a set of instructions for all 27 (soon to be 28, when Croatia joins on July 1, 2013) member states to “translate” the new rules into their own local law. The new draft directive is set to be voted on by all of Parliament in July 2013 and enter into force shortly thereafter if approved.

According to a press release from the civil liberties committee, the new language requires that maximum prison terms for “illegally accessing or interfering with information systems, illegally interfering with data, illegally intercepting communications or intentionally producing and selling tools used to commit these offences,” be set at least for two years.

Read 5 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Cyber Security for the Military and Defence Sector

Security blogs - Vie, 06/07/2013 - 12:38
06/19/2013 - Don't miss SMi's 6th annual Cyber Security for the Military and Defence Sector. The two day conference will bring together leading security solutio...(author unknown)
Categorías: Bundle Security blogs

After burglaries, mystery car unlocking device has police stumped

Security blogs - Vie, 06/07/2013 - 11:52

It's February, about an hour after midnight, and three men in oversized clothing and hats walk silently down a deserted residential street in Long Beach, California. Each one goes up to a car in the area, takes out a small electronic device, and pulls on the passenger side car handle. The first man tries a car in the street. It doesn't open, and he walks on. The other two men try an Acura SUV and an Acura sedan in one home's driveway. Both of the cars unlock, their overhead lamps going on. The two men rummage through the cars, taking what they find. They shut the car doors and walk off.

Video of this scene was recorded by a surveillance camera placed in the driveway where the two Acuras were parked. The Long Beach Police (LBPD) department says that eight vehicles in total were “accessed and burglarized” in the same neighborhood that night. But despite having footage of the crime, the LBPD was not able to determine how the electronic devices worked or who the suspects were.

Auto burglary technology grants keyless access.

In April, the Long Beach Police posted the surveillance video on YouTube, desperate to figure out just how the electronic device used by the three suspects works. Ars spoke to a Long Beach Police spokeswoman who confirmed that after another two months, the department still hasn't come to a conclusive answer.

Read 6 remaining paragraphs | Comments

Categorías: Bundle Security blogs

A Really Good Article on How Easy it Is to Crack Passwords

Security blogs - Vie, 06/07/2013 - 09:41

Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours.

The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful....

As big as the word lists that all three crackers in this article wielded -- close to 1 billion strong in the case of Gosney and Steube -- none of them contained "Coneyisland9/," "momof3g8kids," or the more than 10,000 other plains that were revealed with just a few hours of effort. So how did they do it? The short answer boils down to two variables: the website's unfortunate and irresponsible use of MD5 and the use of non-randomized passwords by the account holders.

The article goes on to explain how dictionary attacks work, how well they do, and the sorts of passwords they find.

Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.

"The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

Great reading, but nothing theoretically new. Ars Technica wrote about this last year, and Joe Bonneau wrote an excellent commentary.

Password cracking can be evaluated on two nearly independent axes: power (the ability to check a large number of guesses quickly and cheaply using optimized software, GPUs, FPGAs, and so on) and efficiency (the ability to generate large lists of candidate passwords accurately ranked by real-world likelihood using sophisticated models).

I wrote about this same thing back in 2007. The news in 2013, such as it is, is that this kind of thing is getting easier faster than people think. Pretty much anything that can be remembered can be cracked.

If you need to memorize a password, I still stand by the Schneier scheme from 2008:

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.

Until this very moment, these passwords were still secure:

  • WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
  • Wow...doestcst::amazon.cccooommm = Wow, does that couch smell terrible.
  • Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
  • uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

You get the idea. Combine a personally memorable sentence, some personal memorable tricks to modify that sentence into a password, and create a long-length password.

Better, though, is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to store them. (If anyone wants to port it to the Mac, iPhone, iPad, or Android, please contact me.) This article does a good job of explaining the same thing. David Pogue likes Dashlane, but doesn't know if it's secure.

In related news, PasswordSafe is a candidate for July's project-of-the-month on SourceForge. Please vote for it.

EDITED TO ADD (6/7): As a commenter noted, none of this is useful advice if the site puts artificial limits on your password.

schneier
Categorías: Bundle Security blogs

Mi caja de herramientas

Security blogs - Vie, 06/07/2013 - 09:23
“Dame seis horas para cortar un árbol y pasaré las primeras cuatro afilando el hacha.“
Abraham Lincoln
Cuando ya llevas un tiempo dedicándote al tema del pentesting, una parte importante de las tareas las ejecutas con herramientas que la comunidad va publicando, tú mismo vas renovando herramientas, basándote sobre todo en novedades en las cuales ves reflejado un ahorro de tiempo o automatización o porque técnicamente mejoran los resultados.

Sin embargo, hay una categoría de herramientas que es como el bote ese de tornillos y destornilladores que tienes en casa y que aunque compres nuevos no tiras o como cuando tu madre abre la caja metálica de galletas danesas y te la encuentras llena de botones.

Herramientas que hacen lo que tienen que hacer de manera eficiente y que seguramente están o descontinuadas o se actualizan una vez cada milenios, oxidadas, en algunos casos rotas o incluso que para compilarlas de nuevo tienes que hacer arqueología de librerías.

- Sqlibf (http://www.open-labs.org/)
Empiezo con quizás el mejor detector de inyecciones SQL de la historia (es que es del compañero Pinuaga), si no me equivoco la única herramienta automática que detecta inyecciones SQL a ciegas por concatenación de pipes en Oracle. Sirvió de inspiración para la siguiente herramienta, el Proxystrike, también genial. Seguramente el Sqlmap haya superado como herramienta al Sqlibf, pero lo ligero de la herramienta sigue haciéndola imprescindible.
 
- Proxystrike (http://code.google.com/p/proxystrike/)
De nuestro ex Carlos del Ojo. Si! el Burpproxy es el mejor y el más útil, pero esta tiene un gran merito, aparte de usar un port del Sqlibf para detectar inyecciones, tenía la opción de la modularidad y la posibilidad de hacerle plugins.

- Tcptraceroute, Netcat, Hping y Packit
No deberían estar en la lista, por estar ya medio difuntas, pero claro, en otros tiempos, los tiempos del Nmap, de los firewalls, de los Netcat, etc., estas eran algunas de las herramientas de red que se usaban, aun cuando de pronto detectas un firewall mal configurado, vale la pena desempolvarlas y darles buen uso.

- Theharvester (https://code.google.com/p/theharvester/)
Ahora que parece que todo el mundo quiere rascar de OSINT para detectar información pública de objetivos tirando del omnipotente MALTEGO, o de la omnipresente FOCA, sigue gustándome más aquellas herramientas que te dan lo que necesitas y punto, esta es una de ellas junto con el Webslayer, de uno de los ex con más talento de S21Sec, el compi Martorella. Probad a comparar Theharvester con herramientas de rabiosa actualidad como por ejemplo Spiderfoot.

- Fierce.pl (http://ha.ckers.org/fierce/)
A estas alturas el Selvi ya habrá comentado que con el Metasploit puede hacer todo lo que hacen estas herramientas y mas, así que para cargarle aun mas ahí va esta otra, del maestro Rsnake, otra de esas que hace lo que tiene que hacer y te da lo que necesitas.

- Yersinia (http://www.yersinia.net/)
Otra histórica que aun no ha sido superada, una pequeña obra de arte de Alfredo Andrés (Slayer) y David Barroso.

- Stunnel 3.26 (https://www.stunnel.org/index.html)
Esta es de esas que actualizan la herramienta, pero a uno le sigue gustando mas la anterior.

- Superscan4 (http://www.mcafee.com/us/downloads/free-tools/superscan.aspx )
Con la compra de Foundstone por parte de Mcafee las viejas herramientas gratis de Foundstone quedaron sin continuidad. Aun así, esta es una de esas que bueno vale la pena tenerla por ahí.

- Sysinternals (http://www.sysinternals.com)
Si, se siguen continuando, sigue el desarrollo, se actualizan, etc. No deberían estar en esta lista, pero quizás el rollo romántico de código libre que tenían antes lo han perdido.

- Sqlping3 (http://www.sqlsecurity.com/downloads) y Oscanner (http://www.cqure.net/wp/tools/database/oscanner/)
Otras de las que Selvi diría que tiene su alternativa Metasploit, pero aun así, en un pentest interno siempre está bien llevarlas.

- Ophcrack (http://ophcrack.sourceforge.net/)
Algo tiene que tener de bueno que cuando la instalas en un equipo el antivirus la borra, parte del arsenal de crackeo de contraseñas de Windows, lleva descontinuada desde el 2009, y seguramente usar alternativas como Findmyhash de Julio Gómez sea infinitamente más rápido, pero sigue teniendo potencia.

Seguramente ponerse en plan “abuelo cebolleta” es contraproducente en estos momentos de excelencia técnica, pero también es cierto que estas herramientas en muchos casos no tienen una alternativa directa más allá del Metasploit.

¿Tenéis alguna “histórica” que no hayamos mencionado?

Dept. ACSS S21SEC



noreply@blogger.com (S21sec Labs)
Categorías: Bundle Security blogs

SilverSky To Acquire StillSecure's Managed Security Services Business

Security blogs - Vie, 06/07/2013 - 09:22
Acquisition is latest in a series of investments SilverSky has made in the past four years to develop cloud-based security software(author unknown)
Categorías: Bundle Security blogs

BeyondTrust And LogRhythm Team Up

Security blogs - Vie, 06/07/2013 - 09:20
Integration enables organizations to identify highly corroborated behavioral anomalies, internal and external threats, and breaches(author unknown)
Categorías: Bundle Security blogs

Raley's Family Of Fine Stores Targeted In Cyberattack

Security blogs - Vie, 06/07/2013 - 09:00
The company has not confirmed any unauthorized access to payment card data yet(author unknown)
Categorías: Bundle Security blogs

Android antivirus products a big flop, researchers say

Security blogs - Vie, 06/07/2013 - 00:28

Android smartphones and tablets are under attack, and the most popular tools developed to protect them are easily circumvented, according to new research from Northwestern University and the University of North Carolina.

The researchers created technology called DroidChamelon that can be used to perform common obfuscation techniques (simple switches in a virus' binary code or file name, for instance) to blow by security products. It tested DroidChamelon with products from the likes of AVG, Kaspersky, ESET, Symantec and Webroot.

Tags: AndroidViruses & Malwarel33tdawg
Categorías: Bundle Security blogs

F5 Air Force TechTalk

Security blogs - Jue, 06/06/2013 - 20:07
07/09/2013 - Secure Your Applications, Simplify Authentication, and Consolidate InfrastructureWhether you have legacy or enterprise applications, authentication...(author unknown)
Categorías: Bundle Security blogs

IntelligenceCareers.com Career Fair

Security blogs - Jue, 06/06/2013 - 13:24
06/21/2013 - Falls Church, VA Career Event June 21, 2013Time: 10:00 - 15:00Falls Church, VA PREREGISTER Target Audience: Analysts, Engineers, Linguists, Network...(author unknown)
Categorías: Bundle Security blogs

BeyondTrust Releases PowerBroker 6.0

Security blogs - Jue, 06/06/2013 - 09:33
Newest release includes session and file integrity monitoring capabilities(author unknown)
Categorías: Bundle Security blogs

The Cost of Terrorism in Pakistan

Security blogs - Jue, 06/06/2013 - 08:58

This study claims "terrorism has cost Pakistan around 33.02% of its real national income" between the years 1973 and 2008, or about 1% per year.

The St. Louis Fed puts the real gross national income of the U.S. at about $13 trillion total, hand-waving an average over the past few years. The best estimate I've seen for the increased cost of homeland security in the U.S. in the ten years since 9/11 is $100 billion per year. So that puts the cost of terrorism in the US at about 0.8% -- surprisingly close to the Pakistani number.

The interesting thing is that the expenditures are completely different. In Pakistan, the cost is primarily "a fall in domestic investment and lost workers' remittances from abroad." In the US, it's security measures, including the invasion of Iraq.

I remember reading somewhere that about a third of all food spoils. In poor countries, that spoilage primarily happens during production and transport. In rich countries, that spoilage primarily happens after the consumer buys the food. Same rate of loss, completely different causes. This reminds me of that.

schneier
Categorías: Bundle Security blogs