Feed aggregator

New Details on Skype Eavesdropping

Security blogs - Jue, 06/20/2013 - 17:42

This article, on the cozy relationship between the commercial personal-data industry and the intelligence industry, has new information on the security of Skype.

Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on the program who asked not to be named to avoid trouble with the intelligence agencies.

Project Chess, which has never been previously disclosed, was small, limited to fewer than a dozen people inside Skype, and was developed as the company had sometimes contentious talks with the government over legal issues, said one of the people briefed on the project. The project began about five years ago, before most of the company was sold by its parent, eBay, to outside investors in 2009. Microsoft acquired Skype in an $8.5 billion deal that was completed in October 2011.

A Skype executive denied last year in a blog post that recent changes in the way Skype operated were made at the behest of Microsoft to make snooping easier for law enforcement. It appears, however, that Skype figured out how to cooperate with the intelligence community before Microsoft took over the company, according to documents leaked by Edward J. Snowden, a former contractor for the N.S.A. One of the documents about the Prism program made public by Mr. Snowden says Skype joined Prism on Feb. 6, 2011.

Reread that Skype denial from last July, knowing that at the time the company knew that they were giving the NSA access to customer communications. Notice how it is precisely worded to be technically accurate, yet leave the reader with the wrong conclusion. This is where we are with all the tech companies right now; we can't trust their denials, just as we can't trust the NSA -- or the FBI -- when it denies programs, capabilities, or practices.

Back in January, we wondered whom Skype lets spy on their users. Now we know.

schneier
Categorías: Bundle Security blogs

Mobile Helix Introduces Link, A Pure HTML5 Application Development Platform

Security blogs - Jue, 06/20/2013 - 17:00
Link creates a common application environment by deploying applications through Internet browser(author unknown)
Categorías: Bundle Security blogs

Qihoo 360 Discovered Serious Smishing Vulnerability In Samsung Galaxy S4

Security blogs - Jue, 06/20/2013 - 16:58
Vulnerability is related to the "cloud backup" feature of Galaxy S4(author unknown)
Categorías: Bundle Security blogs

Clavid Launches Authentication As A Service

Security blogs - Jue, 06/20/2013 - 16:56
Clavid enables users to combine the authentication methods that are already in place so they can use one single login to access all Internet services(author unknown)
Categorías: Bundle Security blogs

Love Letter to an NSA Agent

Security blogs - Jue, 06/20/2013 - 15:19

A fine piece: "A Love Letter to the NSA Agent who is Monitoring my Online Activity."

A similar sentiment is expressed in this video.

schneier
Categorías: Bundle Security blogs

Proud of My First Targeted Attack… or Not!

Security blogs - Jue, 06/20/2013 - 14:18

Connecting a server to the Intertubes is like connecting it to the wild. There are plenty of bots (thousands? millions?) scanning IP addresses for vulnerable services. Once a service is enabled on an IP address, you don’t have to wait a long time before detecting incoming traffic! One of the most common ports is HTTP (80). There are plenty of outdated or unpatched applications still running in the wild and CMS (“Content Management Systems“) are one of the favourite targets for bots. This blog is running WordPress. Why hide it if it can be guessed in a few seconds. WordPress is a well-known CMS with plenty of third-party plugins and also a lot of security holes. It is a nice target for bots. Regularly, my blog is visited by bots and it’s part of the game… Usually, I don’t care about them, they are just temporary blacklisted.

But, a few days ago, another attack drew my attention. It has the following interesting characteristics:

  • Coming from a bot (or proxies) from multiple countries/ISP’s
  • Using multiple valid User-Agent strings
  • Generating traffic at a low rate to avoid my anti-bruteforce filter

It was a dictionary attack against the ‘admin’ user. After a first wave of login attempts, something interesting happened: every password was probed twice; A first time agains the “admin” account and a second time against a private account. This proves that I was facing my first targeted attack! Instead of loosing my time trying to blacklist the IP addresses, I let the attacker play and sniffed the traffic until the attack stopped by itself. A brief analyze of the PCAP file revealed:

  • 15881 unique IP addresses (list)
  • 127 unique User-Agents (list)

As shown on the timeline below, there was two first peak of requests then, the attack was lighter but stable with a constant number of probes:

(Click to enlarge)

When you have IP addresses, it’s easy and very convenient to perform a GeoIP lookup and display them on a map:

(Click for a dynamic map)

Geolocation is interesting but where are they coming from (from an ISP or company perspective). Here is the top-30 of TLD (based on the reserve lookup of offensive IP addresses):

TLD # ukrtel.net 852 com.tr 794 com.mx 483 telecom.kz 473 net.ua 440 ne.jp 316 triolan.net 234 kyivstar.net 217 mgts.by 189 com.ua 180 net.br 143 net.co 130 com.br 127 volia.net 126 odessa.ua 101 co.th 76 kiev.ua 75 rima-tde.net 72 vega-ua.net 70 net.mx 70 mclaut.net 68 net.pe 67 telecomitalia.it 64 breezein.net 64 wanadoo.frt 62 totbb.net 62 bbtec.net 56 pldt.net 51 hinet.net 51 poltava.ua 50

Finally, was it a targeted attack or not? I don’t think so… Why? When you plan to conduct a targeted attack, the primary phase (“reconnaissance“) is a key to understand the behavior (amongst technical details) of your future target. In my case, the attacker should see that my blog requires dual-factor authentication! Why run a bruteforce attack against a login page without providing an OTP (“One Time Password“)? This is completely useless. I think that bots become more intelligent and extract now user names from the link to editors in posts:

(Click to enlarge)

Take care with your blog users and roles (subscriber, administrator, editor, contributer, etc)! Like any regular user, apply the least privileges principle and… keep an eye on your logs!

Categorías: Bundle Security blogs

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Security blogs - Jue, 06/20/2013 - 12:37

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands and added some new features to those commands. In addition to the new engine, a few CnCs have also been observed serving up Gzip-compressed data and at least one has exhibited blocking based on geographic location. The “Drive” name comes from multiple URI paths being named or containing /drv/ or /drive/ and a few CnC hostnames containing the word “drive”. This new variant does not seem to have made it to the “mainstream” underground forums yet with only a total of 15 unique CnC hostnames being observed so far.

Drive Revs its Supercharged Engine

Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted.

It also sports a new string encryption algorithm that is very similar to the Khan algorithm that Jeff Edwards wrote about in 2012 [ 4 ]. A representation of the assembly code for the algorithm is shown in Python below. This algorithm could be made more efficient, but is presented as-is to represent exactly what Drive does:

def decrypt_drive(crypted): ebx = 1 edi = 1 esi = 1 decrypted = "" while len(decrypted) < len(crypted): if esi == 2: tmp_chr = ord(crypted[edi-1]) tmp_chr += ebx + 1 decrypted += chr(tmp_chr) else: tmp_chr = ord(crypted[edi-1]) tmp_chr -= (ebx + 1) decrypted += chr(tmp_chr) if ebx == 1: ebx = 2 elif ebx == 2: ebx = 3 else: ebx = 1 esi -= 1 if esi == 0: esi = 2 else: esi = 1 edi += 1 return decrypted[::-1]

Any “sensitive” data – cnc host, cnc port, cnc URI, install name, ini name – is encrypted with this algorithm.

The phone homes retain the k= POST parameter, but unlike DirtJumper v5 and Khan the length of the value is 15-bytes instead of 32. A randomly generated User-Agent following the format described in the attacks section below is also included.

New Turn-by-Turn Attack Directions

 

Figure 1: Attack Command Parsing

Attacks are no longer specified by 3 pipe-delimited integers and then targets, they are now specified using an attack command – any of -get, -post1, -post2, -ip, -ip2, -udp – that is mapped to a corresponding integer that is referenced everywhere else it is needed. The assembly code for this is shown in Figure 1. Other options for the command are -timeout to specify a timeout, -thread to specify the number of threads to launch (defaults to 30), and -request – only used in the POST attacks. Once the attack_code is set, the code will branch based on the value – if it’s greater than or equal to 3, then it will branch to a section of code that handles the -ip, -ip2, and -udp attacks, otherwise it will branch to a section to handle the HTTP attacks.

In the parsing of the HTTP attacks, it will parse the hostname out from the URL – first checking for http:// or https:// and perform a gethostbyname call to obtain the IP address of the target. It will also look for any “:” and parse out the targeted port as well. While the code searches for https://, we have not seen any copies of Drive that have an embedded SSL library to actually support an attack over HTTPS and it uses socket / send / recv to establish a connection and send data to add more evidence to a lack of SSL support.

Parsing for non-HTTP attacks is slightly different – an IP and port combination are expected. A small number of example commands are shown below:

-ip <ip address>:<port> -timeout 0 thread 999 -get hxxp://<target>/ -timeout 3000 -thread 1 -post1 hxxp://<target>/<uri> -timeout 0 -request username=[5]&password=[5]&submit=Submit -thread 150 -udp <target>:<port> -timeout 0 -thread 80 Upgrading the DDoS HorsePower HTTP Floods

The HTTP-based attacks randomly select one of three User-Agents and then randomly generate values for each one – including version number and patch-level and also randomly chooses whether to include the WOW64 string to indicate a 64-bit Windows system. Regular expressions that represent the 3 possible User-Agents are displayed below:

Mozilla/5.0 (Windows NT [56].1; WOW64; rv: [9-17].0 Gecko/20100101 Firefox/[9-17].0 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT [56].1; WOW64; ; Trident/4.0; SLCC2; .NET CLR 2.0.[0-9]{6}; .NET CLR 3.5.[0-9]{6}; .NET CLR 3.0.[0-9]{6} Opera/9.80 (Windows NT [56].1; WOW64; U; Edition <Random country> Local; ru) Presto/2.10.289 Version/[5-12].0[0-9]

The Referer field also contains a randomly generated value between 5 and 14 characters that is concatenated with a randomly selected TLD to form the full URL. Previous versions / variants of DirtJumper used a hard-coded User-Agent string, so the switch to a more dynamic set of User-Agents that more closely resemble legitimate browsers make for harder fingerprinting. Closer inspection by the reader will show that there do exist some anomalies that would not exist in a real-world browser.
The two POST attacks differ slightly – one appears to target just making sure the server has processed the POST request and closes the connection after it received the first 1024 bytes, while the other attack waits until the response has been completely received before closing the connection. In addition to the random User-Agent string, the POST attacks also contain the above mentioned ability to randomize their POST data. The default clearly targets login forms, but others have been observed targeting search pages and user profile pages. The integer value between the brackets represents how long of a random string to generate. Hard-coded values are also allowed in POST data.

login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50] IP Floods

The two IP attacks – -ip and -ip2 – are both connection style flood attacks that also include more randomly generated data that is sent to the target. These attacks have been seen targeting HTTPS, SSH, MySQL to name a few. An interesting tidbit with these attacks is that they will only operate on an IP address – if a hostname is sent it will fail as no calls to gethostbyname are made to retrieve the IP address to open a socket to. One attack will allocate a buffer of 1460 bytes, memset to set all bytes in the buffer to null and then memcpy the randomly generated data into it and send the full 1460 byte buffer. The random data consists of 2 15-byte strings concatenated together with a space separating them. The other attack only sends the random data. This set of attacks seems to attempt to get around general connection flood protections that only classify floods based on no sending of data, but is not difficult to protect against – especially in the case of targeting SSL-encrypted services where it will lack a proper SSL handshake.

UDP Flood

The UDP flood is a pretty standard UDP flood with the port specified by the attacker and more random data sent to the target. This attack has only been seen a handful of times from the CnCs that have been monitored.

 

Under the Hood of a few CnCs

Drive has certainly been ambitious with its targets – targeting a popular online retailer, search engine, a popular security news site and some foreign financial institutions for a number of hours – but with some attacks being successful and some not. Using the excellent  OpenDNS Security Graph, we have been able to obtain a rough low-end estimate on the number of infected hosts – with the caveat that an unknown number may be from others monitoring the same CnC or dynamically analyzing a piece of malware attempting to connect to the CnC. The graph shown below is a snapshot taken during a successful attack and shows a peak of around 1,000 queries during the attack.

This particular CnC was co-hosted with a BetaBot CnC and a BitCoin mining harvestor and all 3 were dropped by a Smoke Loader.

OpenDNS Security Graph for www.mogains.com

The CnC located at kers2.com was the first CnC that we observed hosting Drive, but we found that it was difficult to monitor for a number of months. Later we discovered that it was blocking connections based on geographic location and switching where we routed through allowed us to determine what it was targeting. This CnC was seen targeting foreign financial institutions and has recently appeared to go offline again, but it is possible that it once again shifted its allowed victims to a different geography. This CnC was online for at least 3 months, which is one of the longest-lived DirtJumper family lifetimes that we have seen recently. With queries peaking above 2000 and mostly averaged above 1500, it represented a significant threat when it was active.

OpenDNS Security Graph for kers2.com

Conclusion

Drive is an up-and-coming threat on the ASERT radar and something we will continue to monitor closely in the coming months as it continues to spread and attack new targets. The attacks we have witnessed have proved to be more potent than other variants and we have even seen CnCs name over 60 targets at once for extended periods of time.

 

References

[ 1 ] http://ddos.arbornetworks.com/2011/08/dirt-jumper-caught/

[ 2 ] http://ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/

[ 3 ] http://ddos.arbornetworks.com/2012/05/dirt-jumper-ddos-bot-increasingly-popular/

[ 4 ] http://ddos.arbornetworks.com/2012/03/kahn/

Categorías: Bundle Security blogs

The US Uses Vulnerability Data for Offensive Purposes

Security blogs - Jue, 06/20/2013 - 09:04

Companies allow US intelligence to exploit vulnerabilities before it patches them:

Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

No word on whether these companies would delay a patch if asked nicely -- or if there's any way the government can require them to. Anyone feel safer because of this?

schneier
Categorías: Bundle Security blogs

Break free of PRISM with the EFFs PRISM Break site

Security blogs - Jue, 06/20/2013 - 00:18

A lot of people have been worried about their privacy since Edward Snowden blew the whistle on American government spying. A list of companies has been made public that allegedly store your data in such a way that allows for the USA’s NSA branch to easily access it.

As a reaction to this the Electronic Frontier Foundation (EFF) has put together a website with software and service alternatives to help increase your privacy, with a focus on FOSS and Linux.

Tags: PRISMNSAEFFPrivacyl33tdawg
Categorías: Bundle Security blogs

New attack cracks iPhone autogenerated hotspot passwords in seconds

Security blogs - Mié, 06/19/2013 - 22:31
The top 10 most commonly used words contained in default iPhone hotspot passwords, ordered by relative frequency. Kurtz, et al.

If you use your iPhone's mobile hotspot feature on a current device, make sure you override the automatic password it offers to secure your connections. Otherwise, a team of researchers can crack it in less than half a minute by exploiting recently discovered weaknesses.

It turns out Apple's iOS versions 6 and earlier pick from such a small pool of passwords by default that the researchers—who are from the computer science department of the Friedrich-Alexander University in Erlangen, Germany—need just 24 seconds to run through all the possible combinations. The time required assumes they're using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn't include the amount of time it takes to capture the four-way handshake that's negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device. More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of "offline" password guesses until the right one is tried.

The research has important security implications for anyone who uses their iPhone's hotspot feature to share the device's mobile Internet connectivity with other Wi-Fi-enabled gadgets. Adversaries who are within range of the network can exploit the weakness to quickly determine the default pre-shared key that's supposed to prevent unauthorized people from joining. From there, attackers can leach off the connection, or worse, monitor or even spoof e-mail and other network data as it passes between connected devices and the iPhone acting as the access point.

Read 8 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Microsoft will pay up to $100K for new Windows exploit techniques

Security blogs - Mié, 06/19/2013 - 17:20
Some bugs aren't worth very much cash. Daniel Novta

Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it's released later this month.

Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors' software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.

Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won't lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.

Read 7 remaining paragraphs | Comments

Categorías: Bundle Security blogs

Petition the NSA to Subject its Surveillance Program to Public Comment

Security blogs - Mié, 06/19/2013 - 17:18

I have signed a petition calling on the NSA to "suspend its domestic surveillance program pending public comment." This is what's going on:

In a request today to National Security Agency director Keith Alexander and Defense Secretary Chuck Hagel, the group argues that the NSA's recently revealed domestic surveillance program is "unlawful" because the agency neglected to request public comments first. A federal appeals court previously ruled that was necessary in a lawsuit involving airport body scanners.

"In simple terms, a line has been crossed," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told CNET. "The agency's function has been transformed, and we think the public should have an opportunity to say something about that."

It's an ambitious -- and untested -- legal argument. No court appears to have ever ruled that the Administrative Procedure Act, which can require agencies to solicit public comment, has applied to the supersecret intelligence community. The APA explicitly excludes from judicial review, for instance, "military authority exercised in the field in time of war."

EPIC is relying on a July 2011 decision (PDF) it obtained from the U.S. Court of Appeals for the D.C. Circuit dealing with installing controversial full-body scanners at airports. The Transportation Security Agency, the court said, was required to obtain comment on a rule that "substantively affects the public."

This isn't an empty exercise. While it's unlikely that a judge will order the NSA to suspend the program pending public approval, the process will put pressure on Washington to subject the NSA to more oversight, and pressure the NSA into more transparency. We've used these tactics before. Two decades ago, EPIC launched a similar petition against the Clipper Chip, a process that eventually led to the Clinton administration and the FBI abandoning the effort. And EPIC's more recent action against TSA full-body scanners is one of the reasons we have privacy safeguards on the millimeter wave scanners they are still using.

The more people who sign this petition, this, the clearer the message it sends to Washington: a message that people care about the privacy of their telephone records, Internet transactions, and online communications. Secret judges should not be allowed to use secret interpretations of secret laws to authorize the NSA to engage in domestic surveillance. Sooner or later, a court is going to recognize that. Until then, the more noise the better.

Add your voice here. It just might work.

schneier
Categorías: Bundle Security blogs

Finding Sociopaths on Facebook

Security blogs - Mié, 06/19/2013 - 14:19

On his blog, Scott Adams suggests that it might be possible to identify sociopaths based on their interactions on social media.

My hypothesis is that science will someday be able to identify sociopaths and terrorists by their patterns of Facebook and Internet use. I'll bet normal people interact with Facebook in ways that sociopaths and terrorists couldn't duplicate.

Anyone can post fake photos and acquire lots of friends who are actually acquaintances. But I'll bet there are so many patterns and tendencies of "normal" use on Facebook that a terrorist wouldn't be able to successfully fake it.

Okay, but so what? Imagine you had such an amazingly accurate test...then what? Do we investigate those who test positive, even though there's no suspicion that they've actually done anything? Do we follow them around? Subject them to additional screening at airports? Throw them in jail because we know the streets will be safer because of it? Do we want to live in a Minority Report world?

The problem isn't just that such a system is wrong, it's that the mathematics of testing makes this sort of thing pretty ineffective in practice. It's called the "base rate fallacy." Suppose you have a test that's 90% accurate in identifying both sociopaths and non-sociopaths. If you assume that 4% of people are sociopaths, then the chance of someone who tests positive actually being a sociopath is 26%. (For every thousand people tested, 90% of the 40 sociopaths will test positive, but so will 10% of the 960 non-sociopaths.) You have postulate a test with an amazing 99% accuracy -- only a 1% false positive rate -- even to have an 80% chance of someone testing positive actually being a sociopath.

This fallacy isn't new. It's the same thinking that caused us to intern Japanese-Americans during World War II, stop people in their cars because they're black, and frisk them at airports because they're Muslim. It's the same thinking behind massive NSA surveillance programs like PRISM. It's one of the things that scares me about police DNA databases.

Many authors have written stories about thoughtcrime. Who has written about genecrime?

BTW, if you want to meet an actual sociopath, I recommend this book (review here) and this blog.

schneier
Categorías: Bundle Security blogs

IEEE Cloud 2013

Security blogs - Mié, 06/19/2013 - 13:12
06/27/2013 - &ldquo;Change we are leading&rdquo; is the theme of CLOUD 2013. Cloud Computing has become a scalable services consumption and delivery platform in...(author unknown)
Categorías: Bundle Security blogs

Lies, nuts, and the quest for attention

Noticias de Nuestros Miembros - Mié, 06/19/2013 - 09:45
It was brought to my attention a recent flood of Twitter messages containing a number of accusations (ranging from "horrible", to "very horrible") against my person. And apparently it's the *second* flood of Twitter messages (the previous one being about two weeks ago).

The accusations were originated by someone who happened to be a speaker at the same Conference I was a speaker and trainer (CONFidedence 2013) and, for reasons that I didn't and don't understand, has been repeating blatant lies, every time magnifying it a bit more -- which nobody in their right mind could believe.

At the time this issue came up, I assumed that it was a completely out of place reaction product of the ingest of too much alcohol. But when the accusations and drama continued, I honestly had no idea what went and goes through this person's mind.

This world is a complex place, and one should be surprised to find someone with such a mental disorder to come up with such a number of blatant lies. It's sad, frustrating, and annoying... but not surprising.

What I personally think is more of a concern is the reaction of other people upon those lies:

  • People making their own judgement even without asking for a second opinion.
  • Others offering to beat a guy up to "make things even".
  • An organizer of a conference at which I was a speaker and trainer comment that "I would never speak at that conference again".
  • Others arguing that they should "destroy my career".
  • (Allegedly) technically-bright people making stupid and primitive comments (ala "let's go and kill him").

... and the list continues.


For a second, think about events that happened in the last decade based on "assumptions", or the kind of anti-humanitarian scenarios this world has experienced simply because some mentally-disordered person came up with a blatant lie that everyone followed with questioning.

I will personally not contribute to the existing drama, since it someone else's game to get attention at any price.

Ironically enough, the people that had access to hotel security video recordings and other sort of information are now also accused for 2not taking action". And the ones with no clues about what really happened, are the ones making statements and comments such as the ones mentioned above.

My participation in the on-line world will continue as always: contributing my best to network security field. But I will certainly start legal actions to everyone that has made accusations that they cannot back. And I personally encourage anyone that has any concrete accusation to make, that they do so with the corresponding legal procedures. That's the best guarantee you can get that proper actions will be taken where/as needed. But, at the same time, it also means that everyone that simply repeats blatant lies "just because you think you're not going to be held responsible for them", gets what they deserve for libeling someone that does not deserve it. As some friend used to say, "you shouldn't be concerned about signing a statement if you are telling the truth" -- but none has done that.

Supporting a known entity (or known "colleague") is one thing. Repeating blatant lies without even checking if there's any truth to them is a completely different thing.

My close friends, people that I respect (and that I know that have been exposed to these lies), and folks that respectfully asked me what this whole issue was about, have received my rather complete version and my thoughts of these accusations. However, there's nothing that can be told to irrational people (that have made the sort of statements that I mentioned above) that will make them change their mind -- that's when a lawyer comes in, so that people are hold responsible for what they do and say.

Cost/Benefit Questions NSA Surveillance

Security blogs - Mié, 06/19/2013 - 09:24

John Mueller and Mark Stewart ask the important questions about the NSA surveillance programs: why were they secret, what have they accomplished, and what do they cost?

This essay attempts to figure out if they accomplished anything, and this essay attempts to figure out if they can be effective at all.

schneier
Categorías: Bundle Security blogs

Standing Up to Threats: The Cisco 2013 Annual Security Report &amp; Security Intelligence Operations [Infographic]

Security blogs - Mié, 06/19/2013 - 09:00
Are you thinking about the evolving threat landscape? You should be. Each day, new vulnerabilities are found and new exploits [...]Scott Simkin
Categorías: Bundle Security blogs

¿ Qué puede hacer LinkedIn por ti ?

Security blogs - Mié, 06/19/2013 - 05:47
A día de hoy es habitual leer acerca de Phishing, Spear Phishing, Spam, Web 2.0 y mezclas de varios de ellos para llegar a usuarios finales, los cuales suelen ser el punto más débil desde el punto de vista de la seguridad.

También es ya habitual ver cómo las redes sociales son el punto de partida para muchos tipos de ataques, o por lo menos un punto por el que la información suele pasar, ya sea como punto de partida, o de recepción de la información.

Por lo que intentemos reproducir uno de estos escenarios que a día de hoy se está utilizando, para intentar ver en la medida de lo posible el grado de concienciación que vamos a encontrar y qué resultados podría obtener un potencial atacante.

¿ Definición del punto inicial de ataque ?

Para empezar podríamos crear un perfil falso en LinkedIn, con un aspecto generalista, pero mínimamente enfocado a un tipo concreto de objetivos. Es importante escoger bien al inicio la imagen, el idioma, el último trabajo, los certificados o estudios y las habilidades. Estos puntos básicos harán que los primeros contactos que solicitemos ignoren la solicitud o no. Posteriormente los perfiles de los contactos que se vayan teniendo acabarán por dar credibilidad en mayor o menor medida a nuestro propio perfil.

Aunque la API de linkedin ofrece ciertas posibilidades para automatizar la solicitud de contactos, tiene sus limitaciones para evitar su abuso, por lo que aunque enviar invitaciones manualmente sea más costoso, permite controlar mejor los objetivos a los que se les envía inicialmente las invitaciones.

Podemos centrarnos en dos perfiles básicos, uno para ampliar los posibles objetivos alcanzables (contactos de 2nd nivel, Recruiters o perfiles de RRHH), y otro con objetivos concretos, ya sea por sector (Defensa/Tecnología), empresa (Partners gubernamentales), o persona individual (Militar/CEO/Manager), por acotar en cierta medida a modo de ejemplo un tipo de objetivo como podría ser cualquier otro.

Datos numéricos de aceptación.

Vamos a partir de un total de 114 invitaciones enviadas en todos los casos diciendo ser “amigos” de los destinos de las invitaciones, donde en el 100% de los casos es falso.




Antes de empezar a analizar como se podría llegar hasta este tipo de perfiles, veamos como están distribuidos.



Posibles vías de contacto masivo para envío de contenido malicioso.



A la hora de definir como vamos a ponernos en contacto con las victimas potenciales disponemos de varias alternativas que pueden hacer el mensaje más o menos creíble:
  • Mensajería interna de LinkedIn



    • Funcionalidad de compartir información de forma interna con nuestros contactos (o de modo global).


    • Exportar la lista de contactos, extraer los correos electrónicos y utilizar cualquier framework de Ingeniería Social para realizar una campaña de Spear Phishing tradicional.

    En este punto lo importante mas que el medio, es la credibilidad de lo que se ofrezca (material o inmaterial), así como la credibilidad visual del mensaje.

    Evidentemente el grado de éxito no solo dependerá de nuestro trabajo, también de la predisposición de las victimas potenciales a aceptar lo que se le envie, aunque no hemos de infravalorar a los usuarios finales, la experiencia nos dice que actualmente es el eslabón más débil en una infraestructura tecnológica.

    Conociendo que en todo el ciclo de vida de un perfil de LinkedIn el número máximo de invitaciones que se pueden enviar está establecido en 3.000 y no garantizan que tras previa solicitud este número de forma individual lo vayan a aumentar (y tras analizar el uso que se le daría en este caso, menos), realizar un total de 3000 invitaciones parece un rango suficiente para poder llevar a cabo un ataque bastante amplio.
    Curiosidades del proceso.

    Solo un usuario de 114 contactados solicitó información previa, antes de aceptar (en este caso de ignorar) la invitación inicial, lo cual es la opción correcta.

    Una vez alcanzado el medio centenar de contactos, dejó de ser necesario enviar invitaciones, el simple hecho de visitar perfiles hacía de reclamo para que visitaran nuestro perfil y así generar de forma indirecta que se nos solicitara ser uno de sus contactos.

    Superado el centenar de contactos, se reciben ofertas de trabajo en empresas de reputación contrastada.


    Eugenio Delfa
    Advanced CyberSecurity Services S21sec



    noreply@blogger.com (S21sec Labs)
    Categorías: Bundle Security blogs

    President Obama Is Right On US-China Hacking

    Security blogs - Mar, 06/18/2013 - 23:18

    I strongly recommend watching the excerpt on the Charlie Rose show titled Obama: Blunt Conversation With China on Hacking. I reproduced the relevant part of the transcript below and added emphasis to key points.

    CHARLIE ROSE: Speaking of pushing back, what happened when you pushed back on the question of hacking and serious allegations that come from this country that believe that the Chinese are making serious strides and hacking not only private sector but public sector?

    BARACK OBAMA: We had a very blunt conversation about cyber security.

    CHARLIE ROSE: Do they acknowledge it?

    BARACK OBAMA: You know, when you’re having a conversation like this I don’t think you ever expect a Chinese leader to say "You know what? You’re right. You caught us red-handed."

    CHARLIE ROSE: You got me. Yes.

    BARACK OBAMA: We’re just stealing all your stuff and every day we try to figure out how we can get into Apple --

    CHARLIE ROSE: But do they now say "Look? See you’re doing the same thing. We’ve been reading about what NSA is doing and you’re doing the same thing that we’re doing and there are some allegations of that. And the man who is now unleashing these secrets who’s telling everybody is in Hong Kong.

    (CROSSTALK)

    BARACK OBAMA: Yes.

    CHARLIE ROSE: And may be talking to the Chinese.

    BARACK OBAMA: Well, let’s separate out the NSA issue which I’m sure you’re going to want to talk to and the whole full balance of privacy and security with -- with the specific issue of cyber security and our concerns --

    CHARLIE ROSE: And cyber warfare and cyber espionage.

    BARACK OBAMA: Right. Every country in the world, large and small, engages in intelligence gathering and that is an occasional source of tension but is generally practiced within bounds. There is a big difference between China wanting to figure out how can they find out what my talking points are when I’m meeting with the Japanese which is standard fare and we’ve tried to prevent them from --

    (CROSSTALK)

    CHARLIE ROSE: Right.

    BARACK OBAMA: -- penetrating that and they try to get that information. There’s a big difference between that and a hacker directly connected with the Chinese government or the Chinese military breaking into Apple’s software systems to see if they can obtain the designs for the latest Apple product. That’s theft. And we can’t tolerate that.

    And so we’ve had very blunt conversations about this. They understand, I think, that this can adversely affect the fundamentals of the U.S./China relationship. We don’t consider this a side note in our conversations. We think this is central in part because our economic relationship is going to continue to be premised on the fact that the United States is the world’s innovator. We have the greatest R&D. We have the greatest entrepreneurial culture.

    Our value added is at the top of the value chain and if countries like China are stealing that that affects our long-term prosperity in a serious way.

    This is an amazing development for someone aware of the history of this issue. President Obama is exactly right concerning the differences between espionage, practiced by all nations since the beginning of time, and massive industrial theft by China against the developed world, which the United States, at least, will not tolerate. I am so pleased that this issue is at the top of the agenda between the US and China and that the President and his team, as well as Congress, are taking it so seriously.

    TweetCopyright 2003-2012 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Categorías: Bundle Security blogs