HACKING AUSTRALIA

9 Reasons to Enforce Web Security within the Organization

2012-02-03T07:30:00.000+11:00

Considering the wide range of malicious content threatening your users, implementing strong web security within the organization is a crucial part of any defense-in-depth strategy. Web security doesn’t have to mean blocking your users’ access to the Internet, but it does mean protecting them from the types of threats they will encounter every day. Here’s a rundown of the top nine threats that are there to help you understand the importance of strong web security. Some of these are threats to your users; others are threats to their productivity. All are things web security can help you protect against.

1.Compromised sites hosting malware
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.

2.Cross-site scripting attacks
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.

3.Typo-squatters
It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.

4.Phishing sites
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.

5.Adult content
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.

6.Controversial content
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.

7.Time sinks
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.

8.Bandwidth hogs
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.

9.Copyright violations
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.

With strong web security protection technology in place, you protect your users, your infrastructure, your data and, ultimately, your company. Look at web security as a critical component of your information security strategy.

This post was provided by Casper Manes on behalf of GFI Software Ltd.

User error is the biggest threat on the Internet

2012-02-02T07:30:00.000+11:00

Sophos unveiled a detailed assessment of the threat landscape - from hacktivism and online threats to mobile malware, cloud computing and social network security, as well as IT security trends for this coming year.

Year in review: Under attack

2011 was characterized by a rise in cybercrime. The availability of commercial tools designed by and for cybercriminals made mass generation of new malicious code campaigns and exploits trivial and scalable. The net result was significant growth in the volume of malware and infections.

Cybercriminals also diversified their targets to include new platforms, as business use of mobile devices accelerated. Politically motivated hacktivist groups took the media spotlight, even as the more common threats to cyber security grew.

Hype over hacktivism

The emergence of LulzSec and Anonymous marked a shift from hacking for financial gain to hacking as a form of protest. Hacktivists sowed chaos by leaking documents and attacking websites of high-profile organizations and even defense contractors. LulzSec dominated headlines in the first half of the year with attacks on Sony, PBS, the U.S. Senate, the CIA, FBI affiliate InfraGard and others, and then disbanded after 50 days.

Risky business

Increasingly, corporate users weren’t just at home or at work, but somewhere else on the “everywhere network.” And the consumerization of IT, sometimes called “bring your own device” or BYOD, became one of the newer causes of data vulnerability. Employees accessed sensitive corporate information from their home computers, smartphones and tablets. Moreover, corporate-issued mobile devices increased risk, as did the rise of cloud services and the use of social media.

According to the Sophos online poll, which asked users if their company allows personal laptops, desktops or phones for work, nearly 50 percent of respondents said yes. Another 10 percent who said their company doesn’t allow personal devices for work preferred they did.

Changing web threats and drive-by downloads

Cybercriminals constantly launched attacks designed to penetrate digital defenses and steal sensitive data. Almost no online portal proved immune from threat or harm. SophosLabs identifies an average of 30,000 newly-infected web pages each day. More than 80 percent of these web pages are on innocent web servers, which have been hacked by cybercriminals to make them part of the problem.

Additionally, 85 percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web, according to the Ponemon Institute. Today, drive-by downloads have become the top web threat, and in 2011, one crimeware kit, known as “Blackhole,” rose to the number one on that list.

In the Sophos online poll, users were asked about the prevalence of malware compared to 2010; 67 percent of respondents felt it was on the rise.

The emergence of Mac malware

Microsoft Windows may be the most attacked OS, but the primary vectors for hacking Windows have been through PDF or Flash. Despite Microsoft’s regular updates to patch Windows OS vulnerabilities, the content delivery systems remained the largest vulnerability on any OS. In 2011, the emergence of malware for the Mac upstaged Windows malware. There's no doubt that the Windows malware problem is much larger than the Mac threat, but the events of 2011 show Mac users that the malware threat is genuine.

Top trends

There are many factors that will impact the IT security landscape this year and into the future. These include new attacks using social media platforms and integrated apps, more targeted attacks on non-Windows platforms, and mobile payment technologies under threat, among others which are highlighted within the report.

“As cybercriminals expand their focus, organizations are challenged to keep their security capabilities from backsliding as they adopt new technologies,” said Mark Harris, vice president of SophosLabs, Sophos. “And as we continue to access information in different ways, from different devices in different locations, security tools must be able to ‘protect everywhere’ - from desktops to mobile and smart devices and the cloud. But more importantly and oft-disregarded, cybercriminals will continue to stalk the easiest prey - security basics like patching and password management will remain a significant challenge.”

Source: http://bit.ly/yjrHYu

Twitter users beware: Homeland Security isn’t laughing

2012-02-01T12:00:00.000+11:00

Planning to make a joke on Twitter about bombing something? You might want to reconsider: according to a report from Britain, two British tourists were detained and then denied entry into the U.S. recently after they joked about destroying America and digging up Marilyn Monroe. The fact that the Department of Homeland Security and other authorities — including the FBI — are monitoring social media like Twitter and Facebook isn’t that surprising. But the fact that Homeland Security is willing to detain people based on what is clearly a harmless joke raises questions about what the impact of all that monitoring will be.

Leigh Van Bryan, a 26-year-old bar manager from Coventry, told The Sun that he and friend Emily Bunting were stopped by border guards when they arrived at Los Angeles International Airport and questioned for five hours about messages that Van Bryan had posted on Twitter saying he planned to “destroy America.” After the questioning, during which the Irish traveller said that Homeland Security threatened the two, they were put in a van and taken to a holding cell overnight, along with some illegal immigrants. After being held overnight, they said they were forced to take a plane back to England.

According to a report in The Daily Mail, the Homeland Security officers gave Van Bryan a document that detailed why he was refused admission to the United States, and it reads like a bad joke itself, saying:

He had posted on his Tweeter website account that he was coming to the United States to dig up the grave of Marilyn Monroe… Also on his tweeter account Mr Bryan posted that he was coming to destroy America.

Van Bryan told the newspaper that he tried to explain to Homeland Security officials that the term “destroy” was British slang referring to a party, and that his comments about “digging up Marilyn Monroe” were an attempt at humor, but that the officers didn’t listen. The authorities even searched their luggage looking for shovels and other tools, he said.

Monitoring social media makes sense — within reason

This isn’t the first time that someone has gotten in trouble for making a joke on Twitter: a British businessman named Paul Chambers was arrested under the Terrorism Act and questioned for more than seven hours in 2010 after making a joke on Twitter about blowing up an airport, a joke he said he made because he was frustrated about the airport being closed due to bad weather. He was tried and found guilty and fined a thousand pounds, and eventually lost his job as a result of the publicity.

The fact that Homeland Security is monitoring social networks like Twitter and Facebook for certain keywords isn’t that surprising: the department said during a security review earlier this year that it has been monitoring those networks and a list of blogs and other sources (including WikiLeaks) for information about potential security hazards and what it called “situational awareness.” The Federal Bureau of Investigation also recently revealed that it is trying to develop a service that can monitor social-media sources and automatically create alerts based on the information it finds there.

To me, it makes perfect sense for security officials to be monitoring social networks and even blogs. This is all public information that could contain useful signals about real terrorism or threats to national security of some kind, and it should obviously be part of the normal intelligence process. But doing this properly also requires some sense of proportion about what constitutes a real threat and what is clearly a joke. Did Homeland Security really think that a 26-year-old bar manager was a serious threat?

We all know that we are likely being monitored in even more ways now than we have ever been, whether it’s by security cameras or algorithms that comb through tweets and Facebook posts. But that’s not the scary part — the scary part is what can happen when that information gets misinterpreted and it escalates into a major crisis for no reason.

Post and thumbnail photos courtesy of Flickr users Stefan and Rosaura Ochoa

Source: http://goo.gl/qY8CI

5 reasons to enforce email monitoring

2012-02-01T07:30:00.000+11:00

Managing storage continues to be one of the most significant challenges for email management, but the right tools can change this from a daily headache to an easy win. Email monitoring gives administrators those tools; providing detailed information on how email is being used, both internally and externally. Here’s a list of the top five ways email monitoring will empower you to optimize your email management.

1. Identify heavy users

Knowing who the heaviest users are can help you plan storage, reallocate mailboxes amongst databases to streamline backups, and also learn about who is emailing whom, both within and outside the company. Knowing your communications channels can help you better understand the business and the needs of your customers while helping you with email management, email management tools can provide you with detailed reports on who sends and/or receives the most email, and who they are communicating with.

2. Manage those attachments

A single word document can take up more space than a hundred plain text emails. And how many different versions of a project plan are floating around inside your mailstores because each revision gets mailed out to everyone on the project team? Email is a convenient, but inefficient file server, and most attachments should really be on stored on SharePoint or a network drive. Moving file transfers to the proper resource will make email management a much easier task. Email monitoring software allows you to receive reports on total space used by attachments, the types of attachments, and real space wasters like duplicates.

3. Find policy violations

When it comes to attachments, non-work related attachments can also chew up huge amounts of storage. Finding the MP3s and AVIs, and reminding users of the company policy can free up lots of disk space rapidly. While you are at it, using email monitoring will enable you to make sure no one is forwarding all their company email to their personal account, or worse, the competition. Good email management includes safeguarding the company’s assets.

4. Storage

Of course, older emails can take up a ton of storage space, and users won’t delete anything unless you stand next to them and press the keys for them. An email monitoring solution can help you to understand how much better it would be if of all that email was moved to the storage managed by an email archiving solution. Using easy to setup rules, your email management of storage becomes an easy task, as messages are moved to the archive automatically. Your users will have no more run-ins with quotas, and no more need for PST files.

5. Retention

Sometimes, email management means knowing when to say goodbye to those older emails. If your company has a document retention policy, it probably defines not only how long to save certain information, but when it needs to be destroyed. An email archiving solution that offers email monitoring features can automatically age out and purge email that exceeds the defined retention policy, automating the housekeeping that you never have time to get to yourself.

As you can see, the winning combination of email archiving and email monitoring makes email management a much easier task, providing in-depth information about how your users communicate, and supports the company’s document retention and other policies. With these tools you can take your Exchange infrastructure to the next level, providing better service with lower storage costs.

This post was provided by Christina Goggi on behalf of GFI Software Ltd.

Video: New Banking Trojan Caught Breaking CAPTCHA

2012-01-31T12:00:00.000+11:00

by Christopher Brook

A new banking Trojan variant can bypass CAPTCHA, as demonstrated by a video posted today by security firm Websense on their Security Labs blog.

Once downloaded to the machine, Cridex, a data-stealing Trojan, will track content from various web forms. Cridex also downloads a ‘spamming module’ to the infected machine that enables the botmaster to send malicious e-mails to boost infection rates. This module, as shown in the video, utilizes a CAPTCHA-breaking server that helps the botmaster circumvent any CAPTCHA after a few tries, allowing the attacker to create a new Yahoo e-mail account.

The CAPTCHA attempts are sourced from a series of challenge images (embedded in HTTP) that have been gathered from the e-mail registration form and uploaded to the remote CAPTCHA-breaking server.

For more on the methods used by Cridex and the exact steps of the CAPTCHA-breaking process, head to Websense.

Protecting Data Is Not a Black and White Issue

2012-01-31T07:30:00.000+11:00

Data protection is more nuanced than simply allowing or denying access. The ages-old concept of group and individual permissions for file and folder access are based on the fact that one person may have no business opening a given file, while the next person may need to read and review that same file as a function of their role. This same type of control is needed when it comes to allowing data to be printed, or stored on an external drive or USB flash drive.

Because protecting data is not a black and white issue, the solution needs to be more flexible than simply blocking or allowing access. Zecurion’s Zlock gives IT admins the ability to apply fine-tuned controls that prevent the unauthorized copying and storing of data without impeding legitimate, authorized use of removable media at the same time. Just as one person may have no business opening a file that another person needs to do their job, one person may have no legitimate business purpose for storing data on removable media, while the next person may need that capability to perform their job function. A solution that simply locks down USB ports is like killing a housefly with a hand grenade, and applies too broadly to provide functional data protection.

Zlock takes it a step farther, though. Jim may have a business need to store sensitive data on a removable drive, but you don’t need to grant blanket permission to Jim. You can still set up controls in Zlock that let Jim store data on a USB flash drive, but only if the data is encrypted. In fact, IT admins can configure Zlock to only allow Jim to store data on a specific brand of company-issued flash drives, or even a specific hardware ID of an individual USB flash drive issued to Jim. That way, data is protected, and the flow of sensitive data is controlled, but Jim is still able to do his job without having to jump through any additional hurdles.

Article Source: http://goo.gl/5czex

Phishing Attacks Can Happen On Your Mobile Phone Too

2012-01-27T07:30:00.000+11:00

A few years ago most of the general public had never even heard of a phishing attack. These days it is better known. While still not a general knowledge question it has been exposed a little bit more by the media and web safety outfits. But just because the problem has seen a little bit more daylight does not mean that it has gone away. No, the problem of phishing attacks is still with us. And while that is still very much a problem, the bigger problem is that now it is starting to move to a new medium.

The mobile phone is becoming more and more the popular choice to surf the web. What better way to waste time than to surf the web while you are on the go. It is because of this activity that you are starting to see more web sites optimize for smaller screens. But it is not only the legitimate web sites that are focusing on the phone. The criminal web sites are as well.

Surfing the web on your mobile phone is no longer a time when you can have your defenses down. In the past when people would surf the web on their mobile phones they pretty much knew that the attacks that were directed at users of Windows and Apple computers could not hurt them. That is no longer the case. Hackers know how to code for the phones now. But it is the web based attacks like phishing that can hurt you no matter what platform you are on.

What is a phishing attack?

A phishing attack is when one web site pretends that it is another. A victim will go to that web site, thinking that they are safe but instead they are really giving up all of the information that they type in that site.

And that is why a phishing attack works on any platform no matter if it is your desktop or your phone. It is strictly a web based attack to obtain information. No matter how you give them the information it is still going to work. The platform of how you give them the information is secondary.

If you want to be able to avoid a phishing attack then the easiest way is to make sure that you pay attention to the web address of the site that you are on. Also, if you get an email and it says to click a link to go to the web site, instead just type the name of the web site in. Then you know exactly what site you are going to.

Source Article: Security-faqs

Seven Ways to Get Yourself Hacked

2012-01-26T07:30:00.000+11:00

As targeted scams become more common, it's vital to protect yourself.

By Simson Garfinkel

In recent months, I've met at least three people who have been the victim of hackers who've taken over their Gmail accounts and sent out e-mails to everyone in the address book.

The e-mails, which appear legitimate, claim that the person has been robbed while traveling and begs that money be wired so that the person can get home. What makes the scam even more effective is that it tends to happen to people who are actually traveling abroad—making it more likely that friends and families will be duped.

Although it's widely believed that a strong password is one of the best defenses against online fraud, hackers increasingly employ highly effective ways for compromising accounts that do not require guessing passwords.

This means that it is more important than ever to practice "defensive computing"—and to have a plan in place for what to do if your account is compromised.

Malware. Sometimes called the "advanced persistent threat," a broad range of software that was programmed with evil intent is running on tens of millions of computers throughout the world.

These programs can capture usernames and passwords as you type them, send the data to remote websites, and even open up a "proxy" so that attackers can type commands into a Web browser running on your very computer. This makes today's state-of-the-art security measures—like strong passwords and key fobs—more or less useless, since the bad guys type their commands on your computer after you've authenticated.

Today, the primary defense against malware is antivirus software, but increasingly, the best malware doesn't get caught for days, weeks, or even months after it's been released into the wild. Because antivirus software is failing, many organizations now recommend antediluvian security precautions, such as not clicking on links and not opening files you receive by e-mail unless you know that the mail is legitimate. Unfortunately, there is no tool for assessing legitimacy.

Windows XP. According to the website w3schools, roughly 33 percent of the computers browsing the Internet are running Windows XP. That's a problem, because unlike Windows 7, XP is uniquely susceptible to many of today's most pernicious malware threats. Windows 7, and especially Windows 7 running on 64-bit computers, has security features built in to the operating system such as address space randomization and a non-executable data area. These protections will never be added to Windows XP. Thus, as a general rule, you should not use Windows XP on a computer that's connected to the Internet. Tell that to the 33 percent.

Kiosk computers. You should avoid using public computers at hotels, airports, libraries, and "business centers" to access webmail accounts, because there is simply no way to tell if these computers are infected with malware or not. And many of them are running Windows XP. So avoid them.

Source Article: http://techre.vu/x1Yq35 (via @TechReview)

How to Boost Your Phishing Scam Detection Skills

2012-01-25T07:30:00.001+11:00

Phishing scams—the ones that try to get you to provide private information by masquerading as a legitimate company—can be easy to uncover with a skeptical eye, but some can easily get you when you let your guard down for just a second. Here's how you can boost your phishing detection skills and protect yourself during those times when you're not at full attention.

Want to test your phishing IQ and find out what kind of scams you're most likely to miss? Take this test.

What You Can Do

The way most phishing scams find victims is through email, but sometimes you'll come across a phishing site in the wild as well. Either way, here are the basic principles you want to follow to keep a cautious eye out for these malicious traps.

Check the URL

Phishing scams are designed to look like official emails and web sites from actual companies, but they aren't actually those things—they're just imitations. Because the emails and web sites are imitations they'll probably look a little different from what you'd expect in general, but more importantly those sites can't have the same URL as the web site they're pretending to because they are different sites. To check the URL, just hover of the link you're thinking of clicking. At the bottom of your window you should see the URL displayed. Once you do that, you have to figure out if it is a good URL or a bad URL.

Using PayPal as an example, you'll generally see http://www.paypal.com as part of the URL.

Sometimes you'll see something like http://subdomain.paypal.com as well. Both of these URLs are okay, because they end in paypal.com. A phishing URL, however, might look something like this: http://paypal.someotherdomain.com. In this case, "paypal" is attached to another domain name (someotherdomain.com). URLs like this are the ones you want to avoid.

Always Go Direct

The best thing you can do to avoid phishing scams is always go directly to the web site you want to visit rather than clicking a link. This way you don't have to figure out if the URL is safe or not because you'll be using a URL in your bookmarks (or your brain) that you already know is safe. Doing this can also help protect you from phishing scams when you let your guard down because you'll be in the habit of visiting sites directly rather than clicking links.
I fell for a phishing scam once when I read the email right after I woke up in the morning. It was from my bank and they'd sent me a lot of verification notices lately since I'd been traveling and using my debit card all over the place. When I got another one, I didn't even think about it because I'd just woken up. I went to the site, filled in my info, and then immediately realized I'd just provided that information to a phishing scam site. I called the bank to let them know right away and got a new card, but had I changed my default behavior to calling the bank of visiting the bank's web site this probably wouldn't have happened. Of course, that's what I do now and it hasn't been a problem since.

What Your Browser Can Do For You

Detecting phishing scams on your own mainly require the mild paranoia and the behavioral adjustment described above, but there are a few other things you can do to make your everyday browsing safer.

Turn Off Form Autofill

One great feature of many web browsers is the autofill feature. It makes it really easy to fill out forms using information already stored in the browser. It also makes it easy for you to ignore the form you're filling out and just submit it, causing you to potentially miss a phishing scam when you're rushing through the process. While this precaution isn't necessary, and you might prefer the convenience of autofill to the safety benefits that deactivating it can provide, turning it off will provide a little added protection.

Utilize Your Browser's Built-In Tools

Most browsers come with some phishing protection built-in to help protect you, but it isn't always enable by default. Google Chrome keeps track of common phishing sites and can alert you when you visit one, but you may need to go through the short setup process to make it work. Firefox also offers phishing and malware protection in a similar way, and you can enable it in the Security section of Firefox's preferences.

Bump Up Your Phishing Protection with Web of Trust

Web of Trust is one of our favorite browser extensions because it automatically lets you know if a web site is trustworthy or not. While it can't possible verify every single site on the internet, it can make you aware of potentially harmful sites and phishing scams. All you have to do is install the extension for your browser and it will display a trust rating in your browser's toolbar. (You can read more about this here.) Web of Trust is available to download for Google Chrome, Firefox, Internet Explorer, Opera, Safari, and as a bookmarklet for other browsers.

Source Article: http://goo.gl/nhzSY

Bait Your Users with the Simple Phishing Toolkit

2012-01-24T07:30:00.000+11:00

By Joe Brockmeier

By now, most folks have heard of phishing scams, and know to be on the lookout for fake PayPal and bank sign-ons. But what happens when your co-workers get a link to a site that looks just like the corporate intranet? Using the Simple Phishing Toolkit (SPT) you can find out.
The concept behind SPT is pretty simple: Most companies spend a fair amount of money on trying to secure their environment. How much do they spend on educating users? Very little, and in many cases nothing at all. As the saying goes, an ounce of prevention is much better than a pound of cure.

Working with SPT

Basically, SPT is a PHP/MySQL package that is designed to create and run phishing campaigns. It should install on any current LAMP or WAMP stack in just a few minutes. If you've installed Drupal or WordPress or any other PHP/MySQL package, it shouldn't take more than a coffee break to set up. (Creating the database and MySQL user is the longest part of the process.)
From there, you can create campaigns to try to "hook" users and see if they're gullible enough to hand out credentials to a phishing site. You supply templates to SPT for the target site, and the list of users and the body of the email. It will send out the phishing emails and collect data when users respond.
Note that there are two ways to provide a template to SPT – provide a template that you've created, or scrape another site. In my tests of SPT, the scraping didn't work. You can find a Microsoft Outlook Web template on the SPT site, though. This might get you started right away if your organization uses Outlook.

You can also provide an "education package" so that users get schooled as soon as they fall for the phishing link. This can be triggered as soon as users click on the link, or after they provide data.

Could be Used for Good or Evil

The project is open source, available under the GPLv3. It's also extensible, so if it doesn't do everything you want there is the option of writing modules for it. The project is still relatively young, I tested the 0.4 release. Now might be a good time for IT departments to talk to their users about phishing, then plan a SPT campaign for later in the year.

It's worth noting that SPT could be used to run actual phishing campaigns, but those are going on already anyway. Yes, SPT promises to be a really easy way to set up a phishing attack, but that's all the more reason to start educating users.
Does SPT look like something you'd use in your business? Are you doing anything to educate users about phishing already? Would love to hear more ideas in the comments about educating users rather than just spending money on security measures.

Source Article: http://goo.gl/YxAvn

Beware of fake Megaupload “comeback” phishing scams

2012-01-23T07:30:00.001+11:00

By: Will Shanklin

Megaupload is supposedly back, albeit without any functionality. An IP address which is dressed to look like Megaupload is being promoted, but evidence points to this as being 100% bogus. If this is legitimate, then Megaupload is one resilient company. The only problem is that this is almost certainly a phishing scam, which you’ll want to avoid like the plague.
Yesterday Megaupload’s domain and assets were seized by the Feds, with the company’s executives being placed under arrest.
As of now, nothing on this site claiming to be the “new Megaupload” works. Every link greets you with the same message, telling you that “this is the new Megaupload site.” The message (probably from a phisher) promises that the company is working to get back up again.
The site’s appearance looks legitimate enough. The familiar Megaupload logo, customary orange and white colors, fonts, and tabs are all there. These could all be easily faked, though — phishers do this with other sites every day. There is also a glaring typo (“beware to the pishing sites”).
Perhaps the biggest evidence against this site is that its IP address was recently directing to another company — which was already flagged as a phishing scammer. We’ll update if we get more information, but we’d advise you to stay far away from this. As long as Megaupload’s employees are in prison with their equipment under Federal control, we don’t expect to see any comebacks.
Source Article: http://goo.gl/2cQTz

Ensuring Online Banking Security

2012-01-20T07:30:00.000+11:00

Phishing Attacks Target Chase and Barclays Accounts
By Tracy Kitten, January 15, 2012.

Accountholders at Chase in the United States and Barclays in Britain have been the targets of a rash of targeted phishing schemes.

Researchers at security firm GFI Software last month discovered customers at Chase had been targeted by phishing e-mails that provided links to spoofed Web pages that requested users submit sensitive online banking details.

The firm also discovered phishing hits aimed at Barclays, though the nature of the attacks differed a bit. In Barclays' case, GFI reported that fraudulent warning e-mails about account suspensions had been sent to Barclays' users. The e-mails, feigning to be security alerts from the bank, claimed that attempts to access online accounts had exceeded limits set by the bank, suggesting hackers had been attempting to break in. Attachments contained in the e-mails asked recipients to provide confidential data to reactivate their online accounts.

The attacks against Chase and Barclays were not rare. Targeted schemes, better known as spear phishing, are common. Similar attacks have been waged against NACHA - The Electronic Payments Association and the Federal Deposit Insurance Corp., just to name two. [See FBI Warns of New Fraud Scam.]

Banks: Cyberfraudsters' Aim
Targeted attacks aimed directly at banks and banking accounts are becoming more standard as well. Last month, the Federal Bureau of Investigation and the U.S. Attorney for the District of Connecticut indicted 14 Romanians for their involvement in an identity-theft scheme that relied on phishing attacks to steal online banking credentials from customers at Connecticut-based People's Bank. Customers at Citibank, Capital One, Bank of America, JPMorgan Chase, Comerica Bank, Regions Bank, LaSalle Bank, U.S. Bank, Wells Fargo, eBay and PayPal also were targeted. [See 14 Indicted in Phishing Scheme.]

Recommendations and the Need for Layered Security
Fraudsters have proven they can get around basic authentication techniques, including two-factor authentication. [See Ramnit Worm Threatens Online Accounts.]

The need for enhanced user authentication served as the catalyst for updated online authentication guidance from the Federal Financial Institutions Examination Council, which took effect this month. Federal banking regulators say banks and credit unions need to ensure they layer security measures, meaning user authentication must go beyond mere logins and passwords.

But a greater concern is online user behavior, since most consumers use the same login names and passwords for multiple accounts, including bank accounts. [See The Real Source of Fraud.]

That universal use of logins and passwords allows cybercriminals to piece together information that can later be used to compromise online credentials. "User names for social websites are often searchable using typical search engines and often the corresponding e-mail addresses are in plain view for casual Internet users and thieves alike to see," says John Buzzard, who monitors phishing attacks and skimming trends for FICO's Card Alert Service.

Fortunately, most phishing schemes are relatively easy to thwart, if practical precautions are taken. "It's rather surprising to keep reading stories about phishing vulnerabilities since phishing varietals have been around since at least 2005," Buzzard says.

Banking institutions can mitigate risks associated with phishing schemes by implementing tried and true best practices that limit exposure to a variety of Internet fraud types. Buzzard recommends institutions:

Provide timestamps for online-banking sessions. Accountholders can look at timestamps to see when the last, and potentially, unauthorized log-in occurred.

Deliver daily account alerts. "Consumers love the ability to establish their own rules so that they can be alerted to ATM withdrawals and daily balances," Buzzard says.

Leverage online banking websites for the delivery of important consumer messages. "A simple email alerting the accountholder that a critical communication is waiting for them inside of their online banking account really is an effective means to ensure that the consumer cannot only view but trust the communication's content," he says.

Avoid e-mailing links. Financial institutions want to discourage consumers from clicking links. When e-mailing correspondence, just inform them to visit the official online-banking site. "Your customer knows how to find their online banking website and they already know how to reach you by phone," Buzzard says.

Source Article: Banking Info Security http://goo.gl/PH0vD

Email and web scams: How to help protect yourself

2012-01-19T07:30:00.000+11:00

When you read email or surf the Internet, you should be wary of scams that try to steal your personal information (identity theft), your money, or both. Many of these scams are known as "phishing scams" because they "fish" for your information.

How to recognize scams
New scams seem to appear every day. We try to keep up with them in our Security Tips & Talk blog. To see the latest scams, browse through our fraud section. In addition, you can learn to recognize a scam by familiarizing yourself with some of the telltale signs.

Scams can contain the following:

Alarmist messages and threats of account closures.

Promises of money for little or no effort.

Deals that sound too good to be true.

Requests to donate to a charitable organization after a disaster that has been in the news.

Bad grammar and misspellings.

For more information, see How to recognize phishing emails and links.

Popular scams
Here are some popular scams that you should be aware of:

Scams that use the Microsoft name or names of other well-known companies. These scams include fake email messages or websites that use the Microsoft name. The email message might claim that you have won a Microsoft contest, that Microsoft needs your logon information or password, or that a Microsoft representative is contacting you to help you with your computer. (These fake tech-support scams are often delivered by phone.) For more information, see Avoid scams that use the Microsoft name fraudulently.

Lottery scams. You might receive messages that claim that you have won the Microsoft lottery or sweepstakes. These messages might even look like they come from a Microsoft executive. There is no Microsoft Lottery. Delete the message. For more information, see What is the Microsoft Lottery Scam?

Rogue security software scams. Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure you into participating in fraudulent transactions. These scams can appear in email, online advertisements, your social networking site, search engine results, or even in pop-up windows on your computer that might appear to be part of your operating system, but are not. For more information, see Watch out for fake virus alerts.

How to report a scam
You can use Microsoft tools to report a suspected scam.

Internet Explorer. While you are on a suspicious site, click the gear icon and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.

Hotmail. If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam.

Microsoft Office Outlook. Attach the suspicious email message to a new email message and forward it to reportphishing@antiphishing.org. To learn how to attach an email message to an email message, see Attach a file or other item to an email message.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

What to do if you think you have been a victim of a scam
If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage and protect your identity.

Change the passwords or PINs on all your online accounts that you think might be compromised.

Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.

Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.

If you know of any accounts that were accessed or opened fraudulently, close those accounts.

Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.

Identity theft protection tools to help you avoid scams
Microsoft offers several tools to help you avoid phishing scams when you browse the web or read your email.

Windows Internet Explorer. In Internet Explorer, the domain name in the address bar is emphasized with black type and the remainder of the address appears gray to make it easy to identify a website's true identity.

The SmartScreen Filter in Internet Explorer also gives you warnings about potentially unsafe websites as you browse. For more information, see SmartScreen Filter: frequently asked questions.

Windows Live Hotmail. Microsoft's free webmail program also uses SmartScreen technology to screen email. SmartScreen helps identify and separate phishing threats and other junk email from legitimate email. For more information, see SmartScreen helps keep spam out.

Microsoft Office Outlook. The Junk E-mail Filter in Outlook 2010, Outlook 2007, and other Microsoft email programs evaluates each incoming message to see if it includes suspicious characteristics common to phishing scams. For more information, see How Outlook helps protect you from viruses, spam, and phishing.

Source Article: Microsoft http://goo.gl/3VjyL

Our bad habits put us at risk

2012-01-18T07:30:00.001+11:00

AUSTRALIA has a heightened chance of slipping into a recession this year after using up most of its ammunition to dodge the global downturn caused by the 2009 recession, economists warn.

JP Morgan chief economist Stephen Walters said our good fortune had left us with bad habits making us more vulnerable.

While Europe and the US had been forced to make long-term economic changes in recent years, Australia still has high levels of household debt and inflated house prices.

He also warned our present positive exposure to China could quickly turn if the Asian economy stumbled.

"The problem is that Australia still carries the same vulnerabilities as it did four years ago," Mr Walters said. "Most other countries went through a recession, which flushes out weaknesses.

"The vulnerabilities we have don't make a recession more likely, but it means a recession would be more painful than if we had shaken off our excesses now."

After 22 years of growth, Mr Walters warned a cyclical recession was expected within the next decade.

He said the RBA should use its monetary policies to target the disparity between house prices and income and push households to continue paying down their debts.

Mr Walters said Australia was right to reap the benefits of exports to China while it could, but should not view Asia as a permanent cash cow.

Source Article: Herald Sun http://bit.ly/y8xX7B

Stratfor reopens website

2012-01-17T07:30:00.000+11:00

By Kirk Ladendorf | Wednesday, January 11, 2012, 09:39 AM

Stratfor, the Austin company that took its website down on Christmas Day after a hacking attack, has reopened the site with bolstered security.
A hacker group called Anonymous claimed credit for the attack and took credit card information belonging to thousands of customers. Some of those credit cards were used to make donations to non-profit groups, including the Red Cross.
Stratfor, which provides geopolitical analysis, said its servers had been damaged in the attack. The company retailed Sec Theory, an Internet security firm, to rebuild its website, email system and internal infrastructure. It also hired CSID, an Austin company that protects against identity theft, to work with its customers at Stratfor’s expense.
The company also has built a new section of its website to tell its story of the hacking attack.The company said it will move its entire e-commerce process to a highly secure third-party system, which will eliminate the need for Stratfor to store credit card information in-house.
The company also hired Verizon Business to conduct a forensic review of the hack and it continues to cooperate with an FBI investigation.
“We did not encrypt credit card files,” said Stratfor CEO George Friedman of the company’s practice before the attack. “That was our failure. As the CEO of Stratfor, I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.”
By some estimates about 75,000 customers names, addresses and credit card numbers were exposed. One cyber security analyst, John Bumgarner, told the Los Angeles Times that thousands of those names exposed included military personnel, while 212 email addresses were from the FBI and dozens more from the National Security Agency and the Central Intelligence Agency.
The company said its website will be free and accessible for all on a temporary basis, but it will contain only the company’s most recent reports. All archived files will be gradually restored.
Over the next few weeks, the company will communicate with subscribers about how to obtain new, secure passwords and safely engage in credit card transactions.

Source Article: http://goo.gl/AKoI2

Man gets a year in prison for hacking, wiping medical competitor's computer

2012-01-16T07:30:00.000+11:00

By Fran Jeffries
The Atlanta Journal-Constitution

An Atlanta man has been sentenced to serve a year and a month in prison for hacking into a competing medical practice's computer to try to lure away patients.

Eric McNeal, 38, was charged with accessing a computer without authorization, including taking patients' personal information in order to send them marketing materials. He pleaded guilty to the charge on Sept. 28.

According to prosecutors, McNeal, an information technology specialist, worked for Atlanta Perinatal Associates, a medical practice in Atlanta. He left that company in November 2009 and went to work for a competing perinatal medical practice in the same building.

In April 2010, McNeal used his home computer to hack into his former employer's patient database. He downloaded the names, phone numbers and addresses of its patients, and then deleted patient the information from his former employer's system.

McNeal then used the patient names and contact information to launch a direct-mail marketing campaign to benefit his new employer. There is no evidence that McNeal downloaded or misused specific patient medical information, prosecutors said.

“Anyone who gives their personal information to a doctor or medical facility does not expect that their information will be hacked and used to make money," said U.S. Attorney Sally Quillian Yates. "This is cybercrime. Electronic information is bought, sold and stolen, often by someone who knows a system and, with a few keystrokes, makes our community vulnerable.”

Source Article: http://goo.gl/axgwz

5 reasons cybersecurity matters to small businesses

2012-01-13T07:30:00.001+11:00

By Heather Clancy | December 28, 2011, 4:09am PST

Summary: Small businesses often think they are ‘too small’ to be worth hackers’ notice, but that assumption could be devastating.

On Christmas Day, perfectly timed for the traditionally slow news week that leads into New Year’s Eve, the cyber hacktivist group Anonymous apparently hacked the Web site and internal servers of security consulting and risk management advisory firm Stratfor.

Soon thereafter, the alleged attackers began publishing all sorts of confidential information, including the names of the company’s clients. What’s more, someone started using the credit card information obtained during the breach to make charitable donations in a vaguely Robin Hood-esque tradition.

Although the subsequent attacks that were threatened apparently have not come to pass, or least haven’t yet been disclosed publicly, the incident caps a year of pretty serious cyberhacking. Sony and RSA were just two of the big companies embarrassed by extremely public incidents. As I was reading up on this topic, I discovered that there were 760 attacks in the past decade by just one Chinese firm. That’s just one nasty organization. That should give you pause, because I can assure you there is more than one person out there in the world who would love to create trouble for your business.

So, even though I’ve already written about essential technologies for investment by small businesses in 2012, security is absolutely positively the most important infrastructure that small companies need to make.

Here are 5 reasons why:

Smaller companies are more likely to be attacked than bigger ones. Don’t believe me? Symantec.com, which keeps statistics on this sort of thing, suggests that 40 percent of attacks are against organizations with fewer than 500 employees, versus 28 percent against bigger companies. Remember, there are lots of people who could make trouble this way. Not just big groups with something to provide like Anonymous or LuluSec, but disgruntled former employees or business partners.

Breaches are potentially business-ending events. Depending on the statistics you believe, the average cost of a breach or cybersecurity incident is about $190,000. Do you have that sort of money to lose? Even more serious: about half of small businesses still don’t back up their data, so what is lost is lost forever. Which means your business might be lost forever. The Federal Communications Commission has published a useful cybersecurity guide you might want to consult.

Can you be sure you are properly controlling the access of your employees and business partners? This will only be a bigger factor, as personal tablets and smartphones become more commonly used as business tools. Improperly managed client-side software is one of the biggest known cybersecurity threat, allowing people to see information that they really shouldn’t be able to see AND allowing rogue malware to enter your infrastructure. I am dealing with an problem like this right now. Even though certain files I post to my non-profit’s web site are “gated,” for some reason, they can be accessed publicly if the right link shows up in a Google search.

Attacks could ruin your company’s reputation. I know that they say all publicity is good publicity, but think about how embarrassed Stratfor must be this week. After all, this is a security consulting company. According to the reports about the incident, the reason that the hackers were able to steal so much data — up to 200 gigabytes — and make use of it was because certain information was not encrypted. Stratfor should have known better, and so should your company.

Your company could be putting its best customers at risk. In assessing the security risks for their business, some owners and managers fail to consider that it isn’t just your own data you need to worry about, it is that of your customers. Anyone involved in healthcare already has this mantra beaten into their brain, but any company that engages in business-to-business activity with much larger businesses needs to consider their needs as the driver for their own security plans.

Article Source: ZDNet... http://t.co/vemfIXLt via @HeathClancy

5 top cyber threats for 2012

2012-01-12T07:30:00.000+11:00

CBC News Posted: Jan 3, 2012 1:31 PM ET

As cybercriminals improve their toolkits and malware, they’re moving away from hacking personal computers to mobile devices, as well as plotting other more sophisticated attacks, according to a report on the top cyber threats for 2012.

“Many of the threats that will become prominent in 2012 have already been looming under the radar in 2011,” Vincent Weafer, senior vice president of McAfee Labs, a technology company and subsidiary of Intel Corp., said in a release

The five top cyber threats as seen by McAfee are:

Attacking mobile devices: Techniques used in the past for online banking, such as stealing from victims while they are still logged on, will now target mobile banking users.

Embedded hardware: Embedded systems, which are designed for a specific control function within a larger system, are commonly used in vehicles, GPS systems, medical devices, routers, digital cameras and printers. Hackers with access to malware that attacks the hardware layer of such systems will gain control and long-term access to the system and its data.

Industrial attacks: Many of the environments where SCADA (supervisory control and data acquisition) systems are deployed — such as water, electricity, oil and gas utilities — don’t have sufficiently stringent security practices, leaving them vulnerable to blackmail or extortion.

"Legalized" spam: While global spam volumes have dropped in recent years, legitimate advertisers are now using the same techniques, such as purchasing email lists of users who have consented to receive advertising, or purchasing consumer databases from companies going out of business. “Legal” spam is expected to grow at a faster rate than illegal phishing and confidence scams on the internet.

Online/frontline hacktivisim: McAffee predicts the true Anonymous group will reinvent itself or die out, and those leading digital disruptions will join forces with physical protesters to target public figures such as politicians and business leaders.

Biggest security threats in 2012 are cyber espionage, privacy violations

2012-01-11T07:30:00.000+11:00

By P b, Jan 02, 2012 03:32 PM

Cyber espionage, along with privacy violations and social networking attacks facilitated by the increased use of mobile and tablet devices, will be the source of increased security threats over the coming months. This was revealed by PandaLabs, Panda Security's anti-malware laboratory in its predictions for top security trends to watch out this year.

Cyber espionage targeting companies and government agencies around the world will dominate corporate and national information security landscapes, and jeopardise the integrity of classified and other protected information. Trojans are expected to be the weapon of choice for hackers focused on these highly-sensitive targets.

"We live in a world where all information is in digital form and is easily accessible if you know how. Today's spies no longer need to infiltrate a building to steal information. As long as they have the necessary computer skills, they can wreak havoc and access even the best-kept secrets of organizations without ever leaving their homes," said Luis Corrons, Technical Director of PandaLabs.

Consumers will continue to be targeted by cyber criminals as they find ever more sophisticated ways to target social media sites for stealing personal data. Social engineering techniques exploiting users' naiveté have become the weapon of choice for hackers targeting personally-identifiable information.

"Social networking sites provide a space where users feel safe as they interact with friends and family. The problem is that attackers are creating malware that takes advantage of that false sense of security to spread their creations," said Corrons.

Article Source: http://flpbd.it/nrq3 #infosec #hack #cybersecurity via @ECCOUNCIL

What to Do If Your Online Account's Been Hacked.

2012-01-10T07:30:00.000+11:00

Credit: Dreamstime

Dylan Valade owns a Web design and software business. As part of his business, he deals with Web and network security issues every day.

One day, Valade received a confirmation email from a brokerage account letting him know that a trade had been made. That would have been fine, except for one thing.

"In this case, a stock had been sold that I did not sell," Valade said.

Recognizing that the account had been compromised, Valade changed all of his passwords immediately.

"My brokerage account was closed and a new one was opened," he added. "The equities were transferred to the new account, with a new login and password."

Valade's experience happened on a brokerage site, but any online account can be a target.

"The most valuable targets are financial services like PayPal, online bank accounts and investment accounts," explained Morgan Slain of Los Gatos, Calif.-based SplashData. "Facebook, LinkedIn, and other social networking sites are increasingly common targets. Online email accounts, including Gmail and Yahoo! Mail, are often hacked too."

The most sophisticated hackers actually don't target individual accounts, but instead go after repositories of account data on servers owned by large organizations, which is why companies such as Sony and Epsilon, a major email forwarder, are targeted.

What the hackers are looking to steal depends on the type of account they are hacking into. When banks or financial services such as PayPal are targeted, the objective is to steal money.

"But often the hacker has a larger objective than attacking one individual," said Lance James, director of intelligence at New York's Vigilant. "In most cases, they're gaining access to email or social network accounts specifically to enable further distribution of their activity, or to steal information that will give them access to other places — potentially more valuable places. For example, a hacker might conduct a series of intrusions with the aim of getting into an employer's payroll system."

If one of your online accounts has been hacked, it compromises the overall integrity of your computer, James added. This comes with two primary manners of impact.

"First, if there [was] personal or confidential information on that system, the owner must assume it has been hijacked by criminals," he explained. "This could have long-lasting effects including identity theft, credit fraud, bank account theft and misplaced trust between friends and associates.

"Second — in some ways more detrimental in terms of reach — that compromised computer can be used to launch attacks against others, expanding the sphere of impact geometrically," James said. "It is therefore the responsibility of organizations and every individual to take precautions wherever they can."

The surest sign that your account has been compromised is unusual activity.

"For a financial account like PayPal, the most obvious sign that your account has been compromised are suspicious transactions," said Kevin McNamee, security architect at Kindsight of Mountain View, Calif. "You should regularly check your account to look for any unauthorized transactions and report them immediately.

"For social networking services like Facebook," McNamee added, "you may notice unusual activity on your wall, but the most likely indication that something is wrong is when your friends ask why you've been sending them unusual links and email messages."

Some things to look for, according to Chris Boyd, senior threat researcher at GFI Software of Cary, N.C., include:

— Friends are asking you about random requests for money or messages that you've apparently sent them, claiming that you're stranded somewhere – for example, messages saying you got mugged in London. Scammers use this tactic for financial fraud. This is an especially popular tactic where compromised Facebook accounts are concerned, due to exploiting the trust of friends and family.

— Strange messages are posted from your Twitter account promoting websites and offers that you're unaware of.

— You find you're selling items on eBay that you didn't list.

If you find that one of your accounts has been compromised, the first step is to ensure that no additional damage can be done, McNamee suggested.

If you still have access to the account, change the password immediately. And then change the passwords to other online accounts, especially for any accounts that share an email address and/or a password with the compromised account.

Also, said McNamee, contact the organization that operates the service and let them know that your account has been compromised.

"Their website will provide information on how to report a problem and regain control over your account," he said.

If the account that was compromised held any financial data or credit/debit card information, James said it's best to contact the financial institutions and cancel the cards.

Even the most vigilant computer user is at risk for an attack. But Asaf Greiner, vice president of products at Sunnyvale, Calif.'s Commtouch, provided the following tips that will keep your accounts less vulnerable to a hacker:

— Use different passwords for different accounts, so if you lose one, you don't lose them all.

— Use strong passwords (e.g. ones that are hard to guess), especially with more valuable resources, such as bank accounts. When possible, use multiple-factor authentication, as with a code-number-generating token. If you find passwords hard to remember, use a password vault application to remember them for you.

— Install all recommended software patches and updates – and anti-virus software – on machines you manage.

— Don't log into valuable accounts from public machines or from unencrypted Wi-Fi networks.

Article Source: http://www.securitynewsdaily.com/what-to-do-if-your-online-accounts-been-hacked-0897/ vía @Security_SND

Alfredo Cedeno
IT Security Advisor

+61 452 066 638
Sent from my iPad

Stratfor Hack Shows Even Experts Use Awful Passwords

2012-01-09T07:30:00.000+11:00

Credit: Strategic Forecasting, Inc.

Anonymous' massive year-end attack on the global-security consulting firm Stratfor showed that even top-tier executives at the world's largest corporations don't have a clue about the importance of a strong password.

On Dec. 24, Anonymous announced it had hacked into the Austin, Texas, think tank Strategic Forecasting Inc. (Stratfor) and stolen thousands of private email addresses and credit-card details from the firm's clients and recipients of its emailed newsletters, which include Boeing, Bank of America, Chevron, AIG, Sony, HSBC, Wells Fargo, Google, the United Nations and all four branches of the U.S. military.

Five days later, Anonymous published the list of more than 859,311 email addresses, 860,160 hashed passwords, 68,063 credit cards and 50,569 phone numbers, Identity Finder reported.

Stratfor offers free subscriptions to some of its emailed newsletters. Most of its products must be paid for, including in-depth reports and custom consultations.

Cybersecurity expert Johm Bumgarner told the Los Angeles Times that among the email addresses and credit-card numbers were some belonging to former U.S. Secretary of State Henry Kissinger and former U.S. Vice President Dan Quayle. (SecurityNewsDaily could not verify that assertion.)

Using a computer-automated password-cracking tool called Hashcat, the tech-news site the Tech Herald sifted through the leaked logs to see what type of passwords Stratfor's clients and subscribers used to keep their sensitive accounts secure. The results, Tech Herald security editor Steve Ragan wrote, were "both expected and pitiful."

Stratfor clients used easy-to-guess passwords such as, "123456, "11111111," and "123123." Other terribly insecure passwords: "111222333444," "12345678901," "administration," "123456789abc," "12345stratfor," "hello123," "lawenforcement" and "intelligence."

A batch of weak passwords played off the word itself, including, "password1234," "password101," "password123," "password122" and "Password999." In just under five hours, Haschat was able to crack 81,883 of the 860,160 leaked passwords.

"In the time it took to watch a movie, Hashcat smashed more than 80,000 passwords," Ragan wrote. "How many of those cracked passwords and leaked email accounts can be used to stage a larger attack on the organizations contained within the list? We're not going to test that, obviously, but someone will."

Ragan said Stratfor's online registration process recommends users create passwords at least six characters long, including at least one number. Out of all the passwords successfully deciphered, 23,440 consisted of six characters, 15,394 had seven characters and 21,080 had eight characters.

Security experts recommend building long, complex, case-sensitive passwords with multiple characters. Stratfor clients clearly did not heed that advice; only 1,411 of the leaked Stratfor passwords had 11-character passwords. The number of passwords dropped off even more as the character length increased: There were 627 people with 12-character passwords, and only 165 had passwords with 13 characters.

If you're wondering whether your password, email address or credit card information was exposed in Anonymous' attack on Stratfor, Dazzlepod has created a free search tool that will scour the leaked info for you and let you know if you need to worry.

Source: http://www.securitynewsdaily.com/stratfor-hack-shows-even-experts-use-awful-passwords-1461/ vía @Security_SND

How strong is your privacy?

2012-01-06T07:30:00.000+11:00

Check your password—is it strong?
Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.

What is a strong password?
The strength of a password depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary. It should be 8 or more characters long.

Protect yourself from #identitytheft by using strong passwords. Check the strength of your password: https://www.microsoft.com/security/pc-security/password-checker.aspx via @msftsecurity

OLYMPIC TRUST LOTTERY Scam

2012-01-05T07:30:00.000+11:00

The following is an example email for this lottery scam. Please forward all lottery emails to scams@fraudwatchinternational.com

OLYMPIC TRUST LOTTERY
Ref. Number: 639/898/116
Batch Number: 430456543-FD22

Sir/Madam,

We are pleased to inform you of the result of the OLYPIC TRUST LOTTERY International programs held on the 6th April 2004. Your e-mail address attached to ticket number 44676546546-2243 with serial number 8645-645
drew lucky numbers 9-43-76-44-31-85 which consequently won in the 1st
category, you have therefore been approved for a lump sum pay of US$ 1,000,000.00
(One Million United States Dollars)
CONGRATULATIONS!!!

Due to mix up of some numbers and names, we ask that you keep your
winning information confidential until your claims has been processed and your
moneyRemitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by someparticipants. All participants were selected through a computer ballot system drawn from over 20,000 company and 30,000,000 individual email addresses and names from all over the world. This promotional program takes place every three year.This lottery was promoted and sponsored by Bill Gates, President of the World Largest software, and other notable businessmen, we hope with part of your winning you will take part in our next year USD50 million International lottery.

To file for your claim, please contact our fiducial agent MR. VAN TOM of the, Standard Trust Agency TEL +31-612-187-410
Email: standardtrust101@netscape.net
Remember, all winning must be claimed not later than 15th of May 2004.
After this date all unclaimed funds will be included in the next stake. Please note in order to avoid unnecessary delays and complications

Please remember to quote your reference number and batch numbers in all correspondence. Furthermore, should there be any change of addresses do inform our agent as soon as possible.

Congratulations once more from our members of staff and thank you for
being part of our promotional program.

Note: Anybody under the age of 18 is automatically disqualified.

Sincerely yours,
Mrs. Claudia Betty
Lottery Coordinator

New Image!!! / Nueva Imagen!!!

2011-12-06T16:04:00.000+11:00

Tengo el agrado de informarles que Hacking Australia tiene nueva Imagen. Actualmente me encuentro preparando mi persona para la Certificación CEH v7. Pero les prometo que el 2012 será un año lleno de Información.

I have the pleasure to announce that Hacking Australia has a new image. Currently I am preparing myself for CEH v7. But I promise you that 2012 will be a year full of information.

Cheers...

Alfredo.

Windows 8 Has A Friendlier Blue Screen Of Death

2011-09-15T21:19:00.000+10:00

While Windows 8 was widely expected to have a black screen of death, the developer build released yesterday has revealed that Redmond has opted to stick with the historic blue. It does, however, come with a peculiar twist. Rather than inundate people (who hopefully remembered to save their work) with a breakdown of why their computer stopped working, it seems Microsoft has chosen to take things in a more compassionate direction.

Unlike the classic, wordy blue screen of yore, the latest version instead makes a sad face at the user. In addition to flashing that large frown, the new BSoD also provides some key search terms just in case the user feel likes digging into what just happened. Users are given a few seconds to write it down or commit it to memory before before the PC automatically restarts, and voila: it’s back to business.

It’s a step in the right direction, as the classic blue screen was nigh unintelligible to most users. This latest version manages to make the process a little less headache-inducing, but I (perhaps naively) long for the day when Microsoft can tell me in plain English why my computer just failed.

Source: http://techcrunch.com/2011/09/14/windows-8-has-a-friendlier-blue-screen-of-death/

Book: Backtrack 5 Wireless Pentesting

2011-09-15T21:08:00.000+10:00

Book : Backtrack 5 Wireless Penetration Testing by Vivek Ramachandran This book will provide a highly technical and in-depth treatment of Wi-Fi security. The emphasis will be to provide the readers with a deep understanding of the principles behind various attacks and not just a quick how-to guide on publicly available tools. We will start our journey with the very basics by dissecting WLAN

Original Page: http://feedproxy.google.com/~r/TheHackersNews/~3/66tE00u68mE/book-backtrack-5-wireless-penetration.html

Android malware outsmarts bank security.

2011-09-15T20:59:00.000+10:00

By Greg Masters
Anti-virus won't detect it.

A variant of the SpyEye trojan dubbed SpitMo can steal bank account details and redirect transaction validation SMSes from Android phones.

SpitMo, or SpyEye for mobile, imposed templated fields on targeted banks' web pages requesting that customers fill in a mobile phone number and the international mobile equipment identity (IMEI) number of the device, a unique signature for a specific phone.

It meant criminals no longer needed to generate a certificate and issue an updated installer to snag the IMEI number, saving them up to three days.

The latest iteration of the trojan injected a message that dupes bank customers into clicking on a phony app download.

By clicking on the installer labelled "set the application," users are walked through steps that download and install the malware.

A user is then instructed to dial a number, which provides an alleged activation code to access the bank's site. In reality, that call is rerouted by the Android malware and a fake activation code is issued.

At this point, all incoming SMS messages will be intercepted and transferred to the attacker's command-and-control server.

What makes the new variant particularly meddlesome is the fact that it is unlikely to be detected as there is no visual evidence of it on the dashboard.

Users are not aware that they have been infected and that their text messages are being hijacked.

SpyEye trojan was found by Trusteer researchers in July when it was stealing troves of personal information and bank accounts. At the time, researchers said the malware was capable of evading transaction monitoring systems that look for anomalies, and observed new variants appearing frequently.

SpitMo was first detected in April by security firm F-Secure and was this week found by Trusteer researchers to be attacking the Android mobile operating system.

While the infection rate at this point is yet to snowball into a major epidemic, Trusteer researchers are advising organisations to "act now and install a desktop browser security solution as part of a multilayered security profile."

Copyright © 2011 Haymarket Media. All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.

RedHat jakarta: Increased privileges

2011-09-15T20:48:00.000+10:00

(15/09/2011) ESB-2011.0943 - [RedHat] jakarta-commons-daemon-jsvc: Increased privileges - Existing account

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2011.0943
Important: jakarta-commons-daemon-jsvc security update
15 September 2011

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: jakarta-commons-daemon-jsvc
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux Desktop 4
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2729

Reference: ASB-2011.0064.2

Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2011-1291.html

--------------------------BEGIN INCLUDED TEXT--------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: jakarta-commons-daemon-jsvc security update
Advisory ID: RHSA-2011:1291-01
Product: JBoss Enterprise Web Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1291.html
Issue date: 2011-09-14
CVE Names: CVE-2011-2729
=====================================================================

1. Summary:

A jsvc update for JBoss Enterprise Web Server 1.0.2 on Red Hat Enterprise
Linux 4 that fixes one security issue is now available from the Red Hat
Customer Portal.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

jsvc is a service wrapper that allows Java applications to be run as
daemons.

It was found that jsvc did not correctly drop capabilities after starting
an application. If an administrator used jsvc to run an application, and
also used the "-user" option to specify a user for it to run as, the
application correctly ran as that user but did not drop its increased
capabilities, allowing it access to all files and directories accessible to
the root user. (CVE-2011-2729)

Note: This flaw only affected users running JBoss Enterprise Web Server
1.0.2 from jboss-ews-1.0.2-RHEL4-[arch].zip as provided from the Red Hat
Customer Portal, as versions for other products are not built with
capabilities support.

All users running JBoss Enterprise Web Server 1.0.2 as provided from the
Red Hat Customer Portal on Red Hat Enterprise Linux 4 are advised to apply
this update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying the update, backup your
existing JBoss Enterprise Web Server installation (including all
applications and configuration files). After applying the update, if jsvc
is started, it must be restarted for this update to take effect.

4. Bugs fixed (http://bugzilla.redhat.com/):

730400 - CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser

5. References:

https://www.redhat.com/security/data/cve/CVE-2011-2729.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=1.0.2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOcPpnXlSAg2UNWIIRAirlAJ4lBRq346PVsFGsMcWpMQzItIGl0ACdHZ7S
tGPG1qJiNQoSqyFzYh/2DIA=
=0din
-----END PGP SIGNATURE-----

--------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnE7Te4yVqjM2NGpAQKn7Q//agvJ6JgIcv1RNd+y/2MrMeGnDE6V700Q
E5vgyBuGz1jtVFsbmUd4HcjfwFJ+n75lrin0FHvHWR1fMy8NlbuXKUe7RBPPI5+B
8RFmkiTl5+kYMlOytmDkcIM/fswi/bBG8y9C363s94+Wm/27Q4uWFZs4tWmB22p1
3zHCMfDosnGC+3lv/iI7tS6xoBohpbrz5qhq2kU8FNmE15pCi6QmBW4ctanjp/3b
kvVUAvdnA/4qOLDba3EkAHmWS7W/nFA2Rb2OhsViY9QASIhFXDMCWnqTmNBCIQxS
eWyK8OaxKdIWYQJQFVZylP6SCBu6gPlAy683V7xJbGBh4JpqdulzNQx5PoNPqXlf
TPBtr8IZ1CrnH+FeLpYLSe9FBBJ0nPg03j3TWvOkCitmOJGSoilJhxpIT0lF/wdV
cIBa/lm/LwrQO4k0wZMl5pgagoJb/QECqYLbJblWRsE6q+Yr4+ihqf4P/maOS/T2
7za7RbKZTpM7RqIiM5qJ1SdOBk5HOK6a

Original Page: http://www.auscert.org.au/render.html?it=14836

RedHat squid: Execute arbitrary code

2011-09-15T20:10:00.001+10:00

(15/09/2011) ESB-2011.0944 - [RedHat] squid: Execute arbitrary code/commands - Remote/unauthenticated

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2011.0944
Moderate: squid security update
15 September 2011

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: squid
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux WS/Desktop 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3205

Reference: ESB-2011.0882.2

Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2011-1293.html

--------------------------BEGIN INCLUDED TEXT--------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: squid security update
Advisory ID: RHSA-2011:1293-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1293.html
Issue date: 2011-09-14
CVE Names: CVE-2011-3205
=====================================================================

1. Summary:

An updated squid package that fixes one security issue is now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

3. Description:

Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.

A buffer overflow flaw was found in the way Squid parsed replies from
remote Gopher servers. A remote user allowed to send Gopher requests to a
Squid proxy could possibly use this flaw to cause the squid child process
to crash or execute arbitrary code with the privileges of the squid user,
by making Squid perform a request to an attacker-controlled Gopher server.
(CVE-2011-3205)

Users of squid should upgrade to this updated package, which contains a
backported patch to correct this issue. After installing this update, the
squid service will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

734583 - CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)

6. Package List:

Red Hat Enterprise Linux Server (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm

i386:
squid-3.1.10-1.el6_1.1.i686.rpm
squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm

ppc64:
squid-3.1.10-1.el6_1.1.ppc64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.ppc64.rpm

s390x:
squid-3.1.10-1.el6_1.1.s390x.rpm
squid-debuginfo-3.1.10-1.el6_1.1.s390x.rpm

x86_64:
squid-3.1.10-1.el6_1.1.x86_64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/squid-3.1.10-1.el6_1.1.src.rpm

i386:
squid-3.1.10-1.el6_1.1.i686.rpm
squid-debuginfo-3.1.10-1.el6_1.1.i686.rpm

x86_64:
squid-3.1.10-1.el6_1.1.x86_64.rpm
squid-debuginfo-3.1.10-1.el6_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2011-3205.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOcPqzXlSAg2UNWIIRAutlAJ9nlG0w3FNBVqFtxSNe10FKir/WkACeNQAA
rDOr/svPTfi23jLvkODeYbk=
=0hIH
-----END PGP SIGNATURE-----

--------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnE7XO4yVqjM2NGpAQJBUg/9HBkNpV+ASPWak3lQuRHjKxWks0HLZ5cU
eJaL78jwsL0JKTiRBoqe6eaCfzjHRAV7imnUbg1Q4xd+wMdukpU7ZbUSz2kvUeRw
icEkSpkKut8+LAzWHdkW80cks6C3rGmOaO7zEXcGjGe/9MeeaojdWYbFQII+IN1g
z3fz9bOTKSZOcHg3MB80zRafHxOuBUyJaqsOa93kEhd4gG8uJA8KzeXh6hJtrTsZ
vfrQsDJ2e46Ruxj4x8gTpw1hkKBU5XAaqR1iD7ijSaBLd0bAxkJckj2WsCxHodU8
/A1rgv5PxfsLA+4gli3p5Ua1PVqzs/ud/HpafOkyF+SE46je7E1S+HgYY45+CP3V
oZiDyjl+9q+FVpc/r5NmtzHHB9j1knKo8jJFMsi13diSdXp9AvD2ERhVF8gTnvGW
5kwZjLCcLgsPM+RtKw4X0Klla4/T4kvbWr6Y87x7/V84nx0sY+roCzV6yePI6j4u
z6JDXagOyg0QlOA0NYstxYeVqIRH3XJP

Original Page: http://www.auscert.org.au/render.html?it=14837

RedHat httpd: Denial of service

2011-09-15T20:06:00.001+10:00

(15/09/2011) ESB-2011.0945 - [RedHat] httpd: Denial of service - Remote/unauthenticated

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2011.0945
Important: httpd security update
15 September 2011

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: httpd
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3192

Reference: ESB-2011.0896
ESB-2011.0870.2

Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2011-1294.html

--------------------------BEGIN INCLUDED TEXT--------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: httpd security update
Advisory ID: RHSA-2011:1294-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1294.html
Issue date: 2011-09-14
CVE Names: CVE-2011-3192
=====================================================================

1. Summary:

Updated httpd packages that fix one security issue are now available for
Red Hat Enterprise Linux 5.3 Long Life, 5.6 Extended Update Support, and
6.0 Extended Update Support.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux (v. 5.3.LL server) - i386, ia64, x86_64
Red Hat Enterprise Linux Server (v. 6.0.z) - i386, noarch, ppc64, s390x, x86_64

3. Description:

The Apache HTTP Server is a popular web server.

A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)

All httpd users should upgrade to these updated packages, which contain a
backported patch to correct this issue. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

732928 - CVE-2011-3192 httpd: multiple ranges DoS

6. Package List:

Red Hat Enterprise Linux (v. 5.3.LL server):

Source:
httpd-2.2.3-22.el5_3.3.src.rpm

i386:
httpd-2.2.3-22.el5_3.3.i386.rpm
httpd-debuginfo-2.2.3-22.el5_3.3.i386.rpm
httpd-devel-2.2.3-22.el5_3.3.i386.rpm
httpd-manual-2.2.3-22.el5_3.3.i386.rpm
mod_ssl-2.2.3-22.el5_3.3.i386.rpm

ia64:
httpd-2.2.3-22.el5_3.3.ia64.rpm
httpd-debuginfo-2.2.3-22.el5_3.3.ia64.rpm
httpd-devel-2.2.3-22.el5_3.3.ia64.rpm
httpd-manual-2.2.3-22.el5_3.3.ia64.rpm
mod_ssl-2.2.3-22.el5_3.3.ia64.rpm

x86_64:
httpd-2.2.3-22.el5_3.3.x86_64.rpm
httpd-debuginfo-2.2.3-22.el5_3.3.i386.rpm
httpd-debuginfo-2.2.3-22.el5_3.3.x86_64.rpm
httpd-devel-2.2.3-22.el5_3.3.i386.rpm
httpd-devel-2.2.3-22.el5_3.3.x86_64.rpm
httpd-manual-2.2.3-22.el5_3.3.x86_64.rpm
mod_ssl-2.2.3-22.el5_3.3.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
httpd-2.2.3-45.el5_6.2.src.rpm

i386:
httpd-2.2.3-45.el5_6.2.i386.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.i386.rpm
httpd-devel-2.2.3-45.el5_6.2.i386.rpm
httpd-manual-2.2.3-45.el5_6.2.i386.rpm
mod_ssl-2.2.3-45.el5_6.2.i386.rpm

ia64:
httpd-2.2.3-45.el5_6.2.ia64.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.ia64.rpm
httpd-devel-2.2.3-45.el5_6.2.ia64.rpm
httpd-manual-2.2.3-45.el5_6.2.ia64.rpm
mod_ssl-2.2.3-45.el5_6.2.ia64.rpm

ppc:
httpd-2.2.3-45.el5_6.2.ppc.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.ppc.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.ppc64.rpm
httpd-devel-2.2.3-45.el5_6.2.ppc.rpm
httpd-devel-2.2.3-45.el5_6.2.ppc64.rpm
httpd-manual-2.2.3-45.el5_6.2.ppc.rpm
mod_ssl-2.2.3-45.el5_6.2.ppc.rpm

s390x:
httpd-2.2.3-45.el5_6.2.s390x.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.s390.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.s390x.rpm
httpd-devel-2.2.3-45.el5_6.2.s390.rpm
httpd-devel-2.2.3-45.el5_6.2.s390x.rpm
httpd-manual-2.2.3-45.el5_6.2.s390x.rpm
mod_ssl-2.2.3-45.el5_6.2.s390x.rpm

x86_64:
httpd-2.2.3-45.el5_6.2.x86_64.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.i386.rpm
httpd-debuginfo-2.2.3-45.el5_6.2.x86_64.rpm
httpd-devel-2.2.3-45.el5_6.2.i386.rpm
httpd-devel-2.2.3-45.el5_6.2.x86_64.rpm
httpd-manual-2.2.3-45.el5_6.2.x86_64.rpm
mod_ssl-2.2.3-45.el5_6.2.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6.0.z):

Source:
httpd-2.2.15-5.el6_0.1.src.rpm

i386:
httpd-2.2.15-5.el6_0.1.i686.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.i686.rpm
httpd-devel-2.2.15-5.el6_0.1.i686.rpm
httpd-tools-2.2.15-5.el6_0.1.i686.rpm
mod_ssl-2.2.15-5.el6_0.1.i686.rpm

noarch:
httpd-manual-2.2.15-5.el6_0.1.noarch.rpm

ppc64:
httpd-2.2.15-5.el6_0.1.ppc64.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.ppc.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.ppc64.rpm
httpd-devel-2.2.15-5.el6_0.1.ppc.rpm
httpd-devel-2.2.15-5.el6_0.1.ppc64.rpm
httpd-tools-2.2.15-5.el6_0.1.ppc64.rpm
mod_ssl-2.2.15-5.el6_0.1.ppc64.rpm

s390x:
httpd-2.2.15-5.el6_0.1.s390x.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.s390.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.s390x.rpm
httpd-devel-2.2.15-5.el6_0.1.s390.rpm
httpd-devel-2.2.15-5.el6_0.1.s390x.rpm
httpd-tools-2.2.15-5.el6_0.1.s390x.rpm
mod_ssl-2.2.15-5.el6_0.1.s390x.rpm

x86_64:
httpd-2.2.15-5.el6_0.1.x86_64.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.i686.rpm
httpd-debuginfo-2.2.15-5.el6_0.1.x86_64.rpm
httpd-devel-2.2.15-5.el6_0.1.i686.rpm
httpd-devel-2.2.15-5.el6_0.1.x86_64.rpm
httpd-tools-2.2.15-5.el6_0.1.x86_64.rpm
mod_ssl-2.2.15-5.el6_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2011-3192.html
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOcPvoXlSAg2UNWIIRAmGBAJwI2Fw6a21y6sQIufKOTMSqJsa8iwCghpOw
pVtt5SPsKbyHm0L/nXt0ZQM=
=shA7
-----END PGP SIGNATURE-----

--------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnE7Yu4yVqjM2NGpAQKEJQ/8D4uV4WFTPhfuMslvWq0HB2ZnQJEpLT9J
89hOtZ89f8x20zqosJcKk7QqqCfOtPAct9JnzxPsSVqGJxrQc/ViplkbNFzhe63o
hIZp5BT6XP1UWiSlFqnpbxBjxRhC0if6G/wH3/n9jGVRnJnnBENxScB3wftmcubQ
KYqXOMGXDE9LvJ1hf8Y5erYs5e5I74ixEIKMrNjwGgrYSdukKZBVmNwAu77DQCIZ
braEYMN8R3a/wOmMJUKueClMwjsbeQNNUsBA+0C54sPF4jFf6f/Evpb8bHs/8zZj
TYWFcvVZn/1o/lOx3B5YODYGWVEDvDPX/gTmw6J4Hp6OOnkbdwKngEVlsJcdA6IS
xFbLreHoGoAjxDqe223ISqDFJkrQFW2NZM9dwZxEveI1LE7L+JgM/wN13IYoZuRs
v9l21ss0/yXBwF7IIa8UmoRjR/NAN2wwPjb960TZ09O+rs9wIpzECQ8GyFxQpUEC
Op0jD3dJNpjZvnVcK4YPc4+DO2xvkPaW

Original Page: http://www.auscert.org.au/render.html?it=14838

Cisco Systems: Execute arbitrary code/commands

2011-09-15T19:48:00.001+10:00

(15/09/2011) ESB-2011.0946 - [Win][Cisco] Cisco Systems: Execute arbitrary code/commands - Remote/unauthenticated

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2011.0946
Cisco Unified Service Monitor and Cisco Unified Operations
Manager Remote Code Execution Vulnerabilities
15 September 2011

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Cisco Unified Service Monitor
Cisco Unified Operations Manager Remote
Publisher: Cisco Systems
Operating System: Windows
Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2738

Original Bulletin:
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml

--------------------------BEGIN INCLUDED TEXT--------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Security Advisory: Cisco Unified Service Monitor and Cisco
Unified Operations Manager Remote Code Execution Vulnerabilities

Advisory ID: cisco-sa-20110914-cusm

Revision 1.0

For Public Release 2011 September 14 1600 UTC (GMT)

+---------------------------------------------------------------

Summary
=======

Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco
Unified Operations Manager software that could allow an
unauthenticated, remote attacker to execute arbitrary code on
affected servers.

Cisco has released free software updates that address these
vulnerabilities.

There are no workarounds available to mitigate these vulnerabilities.

This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml

Note: CiscoWorks LAN Management Solution is also affected by these
vulnerabilities. A separate advisory for CiscoWorks LAN Management
Solution is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20110914-lms.shtml

Affected Products
=================

Vulnerable Products
+------------------

All versions of Cisco Unified Service Monitor and Cisco Unified
Operations Manager prior to 8.6 are affected.

To determine the Cisco Unified Service Monitor and Cisco Unified
Operations Manager software version navigate to Administration >
Software Center (Common Services) > Software Update. The Software
Update page displays the licensing and software version.

Products Confirmed Not Vulnerable
+--------------------------------

No other Cisco products other than the CiscoWorks LAN Management
Solution are currently known to be affected by these vulnerabilities.

Details
=======

Cisco Unified Service Monitor and Cisco Unified Operations Manager
are products from the Cisco Unified Communications Management Suite.
They provides a way to continuously monitor active calls supported by
the Cisco Unified Communications System.

Two vulnerabilities exist in Cisco Unified Service Monitor and Cisco
Unified Operations Manager software that could allow an
unauthenticated, remote attacker to execute arbitrary code on
affected servers. These vulnerabilities can be triggered by sending a
series of crafted packets to the affected server over TCP port 9002.

Both of these vulnerabilities are documented in Cisco bug ID
CSCtn42961 ( registered customers only) and have been assigned CVE ID
CVE-2011-2738.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* CSCtn42961 - Cisco Unified Service Monitor Remote Code Execution

CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of these vulnerabilities could allow an
unauthenticated, remote attacker to execute arbitrary code on
affected servers.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

These vulnerabilities have been corrected in Cisco Unified Service
Monitor and Cisco Unified Operations Manager software version 8.6.

Cisco Unified Service Monitor and Cisco Unified Operations Manager
software can be downloaded from the following link:

http://www.cisco.com/cisco/software/navigator.html?mdfid=280110371&i=rm

Workarounds
===========

There are no workarounds available to mitigate these vulnerabilities.

Mitigations that can be deployed on Cisco devices within the network
are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-201100914-cusm-lms.shtml

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.

These vulnerabilities were reported to Cisco by ZDI and discovered by
AbdulAziz Hariri.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at :

http://www.cisco.com/warp/public/707/cisco-sa-20110914-cusm.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
================

+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-September-14 | public |
| | | release |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt

+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iFcDBQFOb9w/QXnnBKKRMNARCBomAP9pCiRwCB8z3oe3IWB2XXNzeaQxAwoq0gQ4
6znwu3lLSAD/Y6o+u8AofSMxkj3THWIdpbjVXKQXMal/BhxDhN5fsI8=
=Ybok
-----END PGP SIGNATURE-----

--------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnE8lu4yVqjM2NGpAQJTTRAAgAUh7cpVa7iiA5anRWg+TBGH1z5nwVzl
0e6L16KieENRI9ewQjsiQUxyTsFyL7QdlOYO6Qz7mRaaQEmyM5yLeVOeRe29peKL
lqmKsZ76qSZm7rJf2019fYiLkyRc++2+OpfUUejwWqvCmyf9sEpBxLkVEnLlxrjO
5/pBF8sbjPZzoo3ZqLX7OFYRVEMUXNviVT2PbKkDpoJLZBSg9JWf2MMeF3YHLVax
ixDYHjUYvNERMxRYT7zxXJrM8el1+dum0Am2N5vg+UkxCkuRzDP98vLwSNPzWMn9
/v2DZJ8EEShiXOPw3yzR3l48EcdwkHyTQnZOZAXHoDIwq/45gEuAYklqbY0EJBgo
TAirC2HW7aOvITadIoxd0UysWlzCGheXFdfRYRC6RIfxC632CdKbseLAe3H0rgWD
Yw5gaHRWJPHhxlVR9ULDUMWTKNHrS9uiBJYnSwfxDpyT4t0h04JRvw608OHNKqtx
1vfEYl/MXr39k5trlDwdZQU9l9ciWqp+

Original Page: http://www.auscert.org.au/render.html?it=14839

Anonymous dice que destruirá Facebook el 5 de noviembre

2011-08-23T16:54:00.005+10:00

Anonymous, el mayor grupo de hackers en activo en la actualidad, y  que ha llevado al caos a páginas como las de Apple, Telefónica y más de  70 organismos oficiales en todo el mundo, ha puesto fecha y nombre para  un nuevo objetivo: Facebook. 

Pero en esta ocasión no quiere bloquear el site, tirarlo durante unos minutos… como en el resto de sus ataques. En este caso, su objetivo es la destrucción total de la red social.

Así lo ha comunicado Anonymous en un vídeo oficial que ha subido a  YouTube, en la que habla de la “Facebook OP”, (la Operación Facebook),  que tendrá lugar el 5 de noviembre y que acabará con Facebook por la  violación constante de la privacidad de los usuarios, y el hecho de que  comercialice con los datos de los mismos hasta el punto de venderlos a  los gobiernos que deseen vigilarles, según ha dicho el grupo de  hacktivistas.

“Facebook ha estado vendiendo información a las agencias de  gobiernos, y ofreciendo acceso clandestino a los datos de los usuarios,  por lo que permite espiar a gente de todo el mundo”, advierte en el  vídeo. “Facebook sabe más sobre usted que su propia familia”,  puntualiza.

Anonymous también acusa a Facebook de haber censurado sus cuentas sin  motivo, y avisa “Facebook, prepárate para la batalla”. El grupo además  ha creado una cuenta en Twitter y el ‘hashtag’ #opfacebook para dar más popularidad a su supuesto ataque.

Habrá que esperar cuatro meses para ver si se materializa la amenaza. Hasta ahora Anonymous no había avisado con tanta antelación, pero tampoco se había fijado como objetivo la destrucción total de un site. Veremos qué pasa.

Source: trecebits.com

La niña de 10 años que da 'clases' a los hackers

2011-08-23T12:00:00.019+10:00

Defcon, la conferencia de seguridad que hackers benevolentes, sin ánimo de hacer estropicios, celebran en Las Vegas, ha tenido una ponente inédita.

Se trata de una niña de 10 años, cuyo alias en CyFi, que ha descubierto una vulnerabilidad en juegos para móviles con los sistemas operativos iOs y Android. Investigadores independientes han confirmado la veracidad del hallazgo.

En Cnet, CyFi asegura que la descubrió porque le aburría la lentitud en los juegos de granjas en los que debes esperar a que crezca lo sembrado.

Era duro, explica la niña, progresar en este tipo de juegos porque se hacía muy largo esperar a que crecieran las cosechas. Entonces pensó en alterar el tiempo.

Sacar provecho de una siembra de maíz puede suponer 10 horas. Pensó que una solución era forzar el reloj del móvil o tableta y fue en esta indagación cuando descubrió una vulnerabilidad que permitía hacerlo.

CyFi no ha dado los nombres de los juegos afectados. La niña detectó sistemas de prevención de estas manipulaciones pero también descubrió atajos para obviarlas, como desconectar el wifi del móvil.

La sesión se celebró en el marco de la conferencia que, por primera vez, ha abierto una sección para niños, DefCon Kids, ante la evidencia de la comunidad hacker es cada vez más joven. Una compañía, AllCrealID ofrece premios en este apartado.

Pirateo por engaño

En la misma conferencia, pero con protagonistas adultos, se realizó un experimento para demostrar la vulnerabilidad de las grandes compañías debido a la deficiente información sobre seguridad informática de sus empleados.

En la prueba se demostró lo ridículamente fácil que era engañar a empleados de una empresa para que suministraran información que comprometía la seguridad de sus equipos.

En un caso, se convenció a un trabajador para que diera datos sobre la configuración de su ordenador, lo que puede ayudar a escoger el programa malicioso más apropiado para realizar una intrusión.

Este mecanismo tiene incluso un nombre: ingeniería social. El conocido ex hacker Kevin Mitnick, por ejemplo, la considera una de las principales armas para el asalto informático.

Se trata de engañar a un empleado para que suministre datos importantes sobre el sistema informático.

Un ejemplo clásico es llamar a una secretaria en nombre del supuesto equipo de informática de la compañía, explicar que se está procediendo a cambiar las contraseñas para reforzar la seguridad del sistema y solicitar la de su jefe para tal supuesto propósito.

Con increíble facilidad se obtiene la información buscada.

Entre las compañías en las que se hizo la prueba figuran Oracle, Apple, AT&T Delta Air Lines, Symantec y Verizon.

Agencias, 09 de agosto de 2011 a las 10:18

Source: Periodista Digital 

Kaspersky disputes McAfee's Shady Rat report

2011-08-22T21:35:00.001+10:00

Last week, Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, sent a letter to Dmitri Alperovitch, Vice President of Threat Research at McAfee, requesting further information on his recently published report “Revealed: Operation Shady RAT.”

First of all I’d like to say straight out that we do not share the concerns surrounding the intrusion described in the report, which intrusion the report claims has resulted in the theft of sensitive information of multiple governments, corporations and non-profit organizations.

We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch.

We consider those conclusions to be largely unfounded and not a good measure of the real threat level. Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information.

I’d like to give my own answers to the key questions posed in the letter, to firmly establish the assessment of the situation by Kaspersky Lab as global security researchers – not only for the US, but for all nations concerned with cybercrime and advanced threats.

The report suggests the high-profile intrusions of recent months are neither sophisticated nor novel. How do these unsophisticated intrusions differ from the intrusions that were the focus of your report?

Many of the so-called “unsophisticated” intrusions that the IT security industry has discovered recently and which have been so prominent in the news should in fact be labeled just the opposite: “sophisticated”.

These sophisticated threats – such as TDSS, Zeus, Conficker, Bredolab, Stuxnet, Sinowal and Rustock – pose a much greater risk to governments, corporations and non-profit organizations than Shady RAT.

For example, TDSS controls one of the world’s largest zombie networks, made up of more than 4.5 million computers worldwide. It contains extremely sophisticated techniques and implements a whole range of risky payloads that can lead to the theft of sensitive information and even funds in bank accounts, to spam distribution, DDoS attacks and much more.

On the other hand, most security vendors did not even bother assigning a name to Shady RAT’s malware family, due to its being rather primitive.

Are such intrusions something the government and private sector can effectively prevent or mitigate on a continuing basis?

Most commercially-available anti-virus software is capable of preventing infection by the malware involved in Operation Shady RAT; most doesn’t require a special update to do so either, capable of detecting the malware generically.

Did the logs analyzed by McAfee reveal novel techniques or patterns that would be helpful in our efforts to combat cybercrime?

We are fairly sure that the logs that McAfee analyzed did not differ from the logs all the other security vendors analyzed.

Here are our findings: unlike malware from the abovementioned sophisticated samples, we found no novel techniques or patterns used in this malware. What we did find were striking shortcomings that reveal the authors’ low level of programming skill and lack of basic web security knowledge.

In addition, the way the malware spread – via masses of spam messages with infected files attached – is now considered to be old hat; most modern malware uses web attacks to get to target computers. Shady RAT also never used any advanced or previously unknown technologies for hiding itself in the system, any countermeasures against anti-viruses, or any encryption to protect the traffic between the servers and infected computers. Needless to say, these are features inherent only in sophisticated malware.

What is the greater target: intellectual property and national security information, or consumer information that can be used to perpetrate identity theft?

There is no evidence showing what sort of data has been acquired from infected computers, or if any data has been acquired at all.

We can only understand what data (if any) has been stolen by conducting an in-depth investigation within an affected organization to examine the actual access rights of the infected computers.

The report suggests that the more insidious intrusions are more likely to occur without public disclosure. Would more public disclosure help or harm industry efforts to fight this type of cybercrime?

Some of the more insidious intrusions take place without the general public becoming aware of them. What’s more, they can go undetected for some time before being discovered by the IT security industry, and this is likely to continue due to the nature of the architecture of modern software and the Internet.

However, regarding Shady RAT, the IT security industry did know about this botnet, but decided not to ring any alarm bells due to its very low proliferation – as confirmed by our cloud-based cyber-threat monitoring system and by other security vendors. It has never been on the list of the most widespread threats.

For years now the industry has adopted the simple and helpful rule of not crying wolf.

A very important question that has slipped off the radar is what state is behind this intrusion?

It’s not possible to give a straight and clear answer to this question; however, it looks overwhelmingly likely that no state is behind the Shady RAT botnet. How the botnet operates and the way the related malware is designed reveals startling fundamental defects hardly indicative of a well-funded cyber-attack backed up by a nation state.

A good example of a cyber-attack most likely backed by a nation state is Stuxnet. Just compare the number of vulnerabilities used, special techniques, and the various assessments of the development cost. With Shady RAT we are dealing with a lame piece of homebrew code that could have been written by a beginner.

On the black market the Shady RAT malware would be valued at not much more than a couple hundred dollars. Even if an “evil” state were to decide to launch a targeted attack, it could buy much more sophisticated malware for just $2,000 – $3,000. And most certainly the evil state wouldn’t use the same command and control server for five years, and then keep it operating after it was revealed in the world media that it had been exposed – allowing security researchers to conduct in-depth analysis of the botnet.

We believe that this act was performed by rather novice criminals who were testing the ground, but who didn’t improve their skills much at all since the date they started the botnet.

To summarize the Shady RAT report:

Was it the most sophisticated attack ever?

No.

Was it the longest-lasting attack ever?

No.

Was it a historically unprecedented transfer of wealth?

No.

Is there proof that 71 organizations were compromised and had data leaked?

No.

Was it backed up by a state?

No.

Does Shady RAT deserve much attention?

No.

Send to you via TechRepublic for iOS

New Desktop Blogging for Linux

2011-07-01T09:14:00.000+10:00

GNOME blog is a desktop blogging application for Linux and Unix. Easy and quick to use to help you writing your great blog posts.

Features

- Simple to use interface

- WYSIWYG styled text support

- Panel popup allows entries can be written gradually over the course of a day

- Spell checking

- Drag and drop support for images

Download

Latest stable release is 0.9.2

Packaged stable releases should be available through your distribution.

Sources are available at ftp.gnome.org.

Epsilon: Mayor robo de datos online de la historia

2011-04-29T08:01:00.000+10:00

La empresa Online Epsilon sufrió lo que los expertos consideran como uno de los mayores ataques informáticos hasta la fecha. Epsilon es una empresa que ofrece servicios de Marketing Online que gestiona aproximadamente 400,000 millones de anuncios y ofertas por email al año, esta ha sufrido el ataque de un hacker que habría logrado robar archivos de información privada de sus consumidores.

La verdad es que a pesar de la magnitud de este ciberataque, la evidencia apunta a que el cibercriminal no llegó a acceder a los números de tarjeta de crédito, passwords o números de seguridad social. Actualmente la policia esta tratando de esclarecer las causas de este atentado, mientras la empresa Epsilon no ha proporcionado datos concretos sobre las empresas afectadas. (¡Hola RSA!)

También se dice que entre los afectados podría encontrarse la cadena hotelera Marriot y Kroger, que es la segunda cadena de supermercados de Estados Unidos.

Algunas compañias que trabajan con Epsilon, como es el caso de importantes entidades financieras como: Bancorp & Citigroup, JPMorgan Chase, Bestu Buy, TiVo, Kroger, las farmacias Walgreen, Barclays Bank, la firma de tarjetas de crédito Capital One Financial, ya han avisado a sus clientes del incidente para prevenirles de posibles ataques de Phishing, con el fin de obtener datos de sus cuentas corrientes.

“Nuestros proveedor de correo electrónico, Epsilon, nos ha informado que un individuo o individuos tuvieron acceso de forma no autorizada a información limitada sobre usted”, aseguró HSN, operador de e-commerce, en un correo enviado el domingo a sus clientes.

Los nombres y correos electrónicos de clientes de Citigroup y de otras grandes compañías estadounidenses fueron expuestos en una gigantesca violación de datos, después de que un pirata informático se coló en la empresa de marketing online Epsilon.
Los nombres y contactos electrónicos de algunos estudiantes afiliados al College Board -que representa a unas 5 mil 900 facultades, universidades y colegios- también estaban potencialmente comprometidos.

Epsilon contactó durante el fin de semana a sus clientes para advertirles que parte de su información electrónica podría haber sido expuesta.
No parecía que se hubiera expuesto información financiera como tarjetas de crédito o números de seguridad social, según los comunicados de las compañías y correos electrónicos enviados a clientes.
La firma, con más de 2.500 clientes, envía más de 40 mil millones de anuncios y ofertas por correo electrónico cada año, normalmente para gente que se registra en una página de una compañía o da su dirección de e-mail mientras compra.

“Esta información incluía su nombre y dirección de correo electrónico y no incluía ninguna información financiera o sensible. Consideramos que era importante notificarle este incidente lo antes posible”, añadió.

Fuente | Reuters, Segu-Info, hacking.mx

abril 5th, 2011

De la C, la E y la H

2011-04-28T18:07:00.000+10:00

CEH. Certified Ethical Hacker. Tomé el curso recientemente. Los que ya lo han tomado, sabrán que se trata de que uno entienda en general las técnicas usadas por “los malos” para penetrar sistemas/redes y poder así lograr sus fines.

La idea es que si no sabes las técnicas de ataque, difícilmente sabrás cómo defenderte. En el curso te dan un “overview” de las fases del hackeo que básicamente son: Reconocimiento, Escaneo, Obtención de accesos (a nivel sistema y/o red), Mantenimiento del acceso y el Borrado de huellas.

Para cada una de las fases te dicen de qué se trata y qué herramientas (aplicaciones) usan “los malos” para completar esa fase. Recordemos que la diferencia entre un hacker y un profesional de seguridad es la intención y los objetivos perseguidos; las herramientas y técnicas son las mismas pero unos las usan para atacar y otros las prueban (sin daño) para entenderlas y poder defenderse.

El curso tiene una duración de 5 días donde se introduce al asistente en el mundo del hackeo, se muestran técnicas y herramientas usando no sólo PowerPoint sino también laboratorios en ambientes controlados para hacer prácticas.

Ahora bien, algunas opiniones respecto al curso:

+ Mil y un herramientas. Lo cierto es que la cantidad de herramientas que el curso pretende que “veas” es considerable y si sigues tal cual lo que indica el curso no acabas de dominar ni una sola. Tal vez esa es la intención, pero caramba, en unas cuantas semanas apenas y recordarás el nombre de los cientos de programas que se pretenden ejecutar y conocer.

+Leyes de EUA. El curso toca el tema de leyes, pero centrado en EUA. Afortunadamente fue breve, ya que en lo particular confieso que me aburren las leyes y en todo caso el material debería de “tropicalizarse” para incluir leyes de otros países.

+Herramientas desactualizadas. No todas las herramientas incluidas en el material del curso fueron “del 2010” o recientes. No puedo decir un porcentaje, pero por ejemplo el libro incluye Smurf que fue un ataque de finales de los noventa, el POD (Ping of Death) que explotaba una debilidad de la pila TCP/IP en varios sistemas existentes en 1996 (al menos esa es la fecha del aviso del CERT). También el material incluye el NetBus que algunos de mis compañeros en la Universidad llegaron a usar para gastarle bromas a otros estudiantes (estoy hablando de 1998-1999). Parecía un desfile retro de viejos ataques que llegué a ver o escuchar cuando estaba estudiando la ingeniería. Algunas otras herramientas son viejitas pero vigentes, como por ejemplo nmap. Conclusión: está bien ver algunos ejemplos pasados de viejos ataques como que para saber “lo que existió”, pero vaya, yo sí le daría una actualizada al material del curso para ponerlo más 2010 y menos noventero (verdad, “wardialing”?).

+Instructor. Qué tanto te guste el curso y qué tanto te hayan quedado ganas de que pudo haber sido un poco mejor depende (en mi opinión) en gran medida del instructor. En mi caso el curso me gustó, David (Twitter @codigoverde) le dio un giro interesante y supo mantener mi atención con técnicas vigentes y herramientas usadas por “los malos” en el 2010 y aún así manteniendo el balance con los puntos importantes del material del curso. Sí se despegó -lo suficiente- del PowerPoint y de lo que decía el “manual” que se tenía que ver en cuestión de herramientas, y gracias al Dios Todopoderoso que lo hizo. Asimismo vimos herramientas a una profundidad adecuada. Es decir, la dinámica impuesta por mi instructor fue determinante para que el curso en general valiera bastante la pena y he de confesar que superó mis expectativas.

+ ¿Ya soy pentester si curso el CEH? En mi opinión, no. Tampoco si te certificas. Si a mí me viene un fulanito a decir que puede hacer un pentest a mi empresa porque tomó el curso y posteriormente se certificó CEH sin más credenciales y/o justificaciones, le diría que no gracias y seguiría buscando. Sólo tomar el curso y/o certificarte no te hace pentester, o al menos uno que haga un buen trabajo. Recordemos que un buen pentester domina a profundidad las técnicas y herramientas de hackeo para que con tu aval, lleve a cabo pruebas de hackeo controladas que muestren tus debilidades para que mejores. En mi opinión, el curso CEH es introductorio y (si aún no las tienes) tendrás que adquirir los conocimientos y técnicas -a profundidad- por otros medios.

+ Certificación vs Utilidad. ¿Quieres tomar el curso para certificarte CEH o para aplicar lo aprendido en tu trabajo? ¿Yo? Para las dos cosas. Aunque sinceramente me interesa más lo aprendido en esos 5 días. Hay varias cosas que me latería incorporar en lo que hago porque aumentará el valor de mi trabajo. ¿Me faltará tiempo para hacerlo? Tal vez, pero habrá que buscarlo e incorporar técnicas de ahorro de tiempo, no?

¿Vale la pena el curso? Yo pienso que sí, opino que vas a aprender y de paso (estudiando) te certificas. Pero insisto de nueva cuenta en que el instructor hace La diferencia.

En fin, ahora empezaré a buscar tiempos para estudiar y hacer el examen de certificación. Ya que lo haga les estaré contando de cómo me fue y cómo es el examen. Mientras tanto, nos vemos en Twitter: @FaustoCepeda

Fuente | Hacking-mx

6 Easy Steps To Increase Your Privacy On Facebook

2011-04-28T17:59:00.000+10:00

Organizing all of your Facebook friends into separate lists can help save you time and enhance the privacy of your posts and profile information.

You can set up friend lists for family, close friends, college pals, coworkers, industry friends, exes, and, well, whatever else you like. Then you will able to selectively share information using your Facebook account.

For starters, you’ll be able to post messages that are viewable only to the lists you designate. What’s more, you’ll be able to adjust your privacy settings so that your profile details are accessible only to your chosen friend lists.

Six Really Easy Steps

Follow these six simple steps to create a friend list on Facebook. You can create up to 100 friend lists and each list can contain up to 1,000 friends. If you like, friends can appear on multiple lists.

On your Facebook homepage, click on the friends icon in the navigation bar running down the left column.
At the top right of the page, click on the icon with the pencil that reads “Edit Friends.”
At the top right of the page, click on the icon with the plus sign that reads “Create A List.”
A box will appear that reads “Create New List.” In the text box below this, that reads, “Enter A Name,” type in the name of the friend list you want to make, for example, “Industry”.
You will see all of your friends appear in this box. Click on the names of the people you would like to add to the list you just made. Once you select a name, a check box will appear and the name and photo of the person you selected will be highlighted in blue. As you view all of your friends using the scroll bar at right, you can toggle at the top left of the box between “All” (which shows your entire friend network) and “Selected” (which shows the friends you have chosen to be to part of the list).
Click on the link labeled “Create List” to save the changes you made

Modifying Friend Lists

At any time, you can change the name of the list or change the people on the list by selecting the “Edit” link that appears to the right of the list name.
To view, add or delete friend lists, go to your friends page and click on the “Edit Friends” button. Your friend lists will appear in the column at left. Click on each list to modify or delete it.

Limiting Who Sees What

When you post a status update, you can make it visible only to a selected friend list. To do this, after you type your message into the status update box, click on the lock icon. Scroll down and select “Customize.” Click on the drop-down menu under “Make This Visible To.” Select “Specific People.” Type in the name of the list you want to be able to see the status update.

To limit the people who can view your profile information to a friend list, click on “Account” at the top right of your screen.
Click on “Privacy Settings.” Then click on “Customize Settings” at the bottom left of the main text box.

For each option listed at left you can select from the drop-down menu at right “Customize.” Then, where you see “Make This Visible To”, click the drop-down menu and select “Specific People.” Type in the name of the selected friend list that you want to be able to view your profile.

Keep in mind that Facebook may continue to change its friend list interface in future. In the meantime, we suggest you forward this post to people you know who don’t have any lists set up yet — this might help get them started.

Posted by Julie D. Andrews on April 26th, 2011 1:00 PM

Consejos para Navegar Seguro

2011-04-28T17:55:00.000+10:00

Me encontré con una lista de consejos del nic para navegar seguro en Internet donde varios de ellos lejos de ayudarme me hicieron quedar con cara de “what?”. Analicemos algunos de ellos con la intención de criticarlos constructivamente.

Respecto a las contraseñas nos dicen: “Se recomienda hacer uso de contraseñas largas, con diferentes letras, números y símbolos que al mismo tiempo sean fáciles de recordar”. Por “largas” creo que podemos decir que 8 caracteres puede ser suficiente (el nic no lo especifica). Sin mencionar que cuando tenemos 10, 15 ó 20 sitios a los que entramos seguido, acordarnos de “n” contraseñas complejas, diferentes pero fáciles de recordar es algo que pocos hacemos y que el nic no toma en cuenta. Lo que yo hago es usar LastPass que me ayuda a “recordar” estos passwords; así podemos cumplir con eso de que sean diferentes para cada sitio y complejas (y sin necesidad de tenerlas en la mente).

De los sitios nos dicen: “Evitar sitios de origen dudoso. Es importante pensar dos veces antes de hacer click en uno de estos anuncios, pues pueden ser causa de virus o spam”. En su consejo no nos dicen qué es un “sitio de origen dudoso” y nos recomiendan que pensemos dos veces antes de hacer click en “uno de estos anuncios”. Es ambiguo y no del todo cierto: hoy en día hasta sitios legítimos pueden contener contenido malicioso en frames, por ejemplo. No sé cómo definir un “sitio de origen dudoso”, ya que hay unos que ciertamente intuimos que lo pueden ser (por ejemplo pornográficos) pero otros ni idea (como el malware que apareció en el sitio del New York Times). Yo uso NoScript en los sitios que visito para dejar de pensar en si es dudoso o no; puede ser una verdadera lata pero hace su trabajo…pruébenlo y me dicen qué les pareció.

Pongamos el extracto completo que nos ofrece el nic para que vean que no ando intencionalmente seleccionando extractos incompletos: “Cuidar datos personales: El mal uso de los datos personales no sólo se remite a lo que el usuario comparte en sus redes sociales, pues también es importante considerar que nunca hay que escribir nombres, apellidos, direcciones, teléfonos o cuentas bancarias en sitios que no sean seguros. Para saber si un sitio es seguro, basta con revisar que el inicio de su dirección incluya una letra s (https://)”.

Me llama la atención la última parte en donde dicen que para saber si un sitio es seguro debemos de revisar que tenga “https” porque me es difícil ligar el tema de “datos personales” con el de TLS (https). Cuando un sitio cambia a https, lo que nos dice es que tiene un certificado válido; pero NO nos dice nada de qué harán con nuestros datos ni del cuidado de los mismos. El “https” crea un canal cifrado entre tú y el sitio, quien quiera que el sitio sea o pretenda ser. Nada más. Pueden intentar https://www.RoboTarjetasDeCredito.com y estarán tranquilos de saber que usa “https” y que aparece un candadito en su navegador, cierto?

Nos dicen: “No ejecutar archivos sospechosos” comentando que al navegar algunos sitios mal-intencionados nos pedirán descargar algún archivo aparentemente necesario. De nueva cuenta, eso de “archivos sospechosos” es ambiguo y poco claro, y por lo tanto poco útil. Sitios legítimos me piden también que descargue algún software (quítenle flash a su navegador y se sorprenderán) y me piden que habilite ActiveX o JavaScript (con NoScript se darán cuenta de esto último). ¿Entonces qué hacemos? Podemos usar un Sandbox, un firewall personal u otros controles (de preferencia preventivos como los ofrecidos) que le permitan al usuario común dejar de decidir si un archivo es “sospechoso”.

En fin, estos fueron algunos de los consejos que llamaron mi atención. La lección –creo- es que no debemos de aventar consejos ambiguos a los usuarios y sí usar nuestro sentido común para revisar bien lo que estamos diciendo; yo mismo he caído en esta trampa al asumir que el usuario a quien me dirijo es un CISSP.

Por otro lado, a algunos no les late poner “marcas” en su blog o artículo, pero las “marcas” pueden apoyar nuestras ideas o consejos. Tal vez se valga decir que no navegues en sitios inseguros y que puedes usar NoScript, por ejemplo. Así si no queda claro lo de “sitios inseguros”, al menos le estás dando un consejo claro y preciso de usar una herramienta. En fin, aquí siempre está el tema de “me pagan para poner marcas” que yo simplemente ignoro.

Si te das un tiempo de leer los consejos del nic, creo que coincidirás conmigo en que su concepto o lo que quisieron transmitir es valioso. Pero la ambigüedad y no ponerse en el lugar del usuario promedio a quien supuestamente van dirigidos los consejos, no fue muy atinado. ¿Tú qué opinas?

Fuente | Hacking-MX

Conoce OWASP, una excelente iniciativa de Seguridad

2011-04-28T17:28:00.000+10:00

Existen métricas para casi todo a nivel de proyectos de desarrollo de software, sin embargo, en temas de seguridad hasta hace unos años era un territorio virgen, no había gran avance en el tema, ya que la seguridad no era tenida en cuenta en los procesos de desarrollo o tal vez no pasaba de un checklist pequeño que revisaba posibles fallas de seguridad presentes en las aplicaciones.

En el año 2001, en Diciembre para ser más exactos, nace la iniciativa de OWASP, Open Web Application Security Project, como un grupo de expertos en temas de desarrollo y seguridad con las intensiones de plantear proyectos que a su vez trabajaran en temas de seguridad de aplicaciones, buenas prácticas para desarrollo seguro, pruebas de seguridad para software entre otros. Hoy en día OWASP cerca de sus primeros 10 años, plantea una organización sin ánimo de lucro conformada por un excelente grupo de profesionales de todo el mundo involucrados en varios proyectos desde la sensibilización hasta lo técnico trabajando en tres frentes (Entender como categorías): Detección, Protección y Ciclo de Vida.

A nivel corporativo, el requerimiento de implementar estándares como PCI (a nivel de transacciones de pago a través de medios electrónicos), hablan de la necesidad de implementar controles y ataques orientados al uso de OWASP, esto ofrece un marco de confianza y respaldo al trabajo en este gran proyecto.

Dentro de los frentes mencionados anteriormente, se encuentran proyectos que aportan sustancialmente a los equipos de desarrollo al hablar de código seguro, veamos algunos de ellos:

Proyecto Top Ten

Este proyecto consiste en la investigación y el respectivo análisis de las vulnerabilidades más presentadas a nivel de aplicaciones, una clasificación por criticidad, el tratamiento y presentación de soluciones para implementar. Se genera un documento anualmente y busca generar un estado del arte en temas de seguridad de aplicaciones, útil para evaluar y tomar medidas reactivas a posibles fallos de seguridad.

Proyecto Application Security Verification Standard (ASVS)

A través de este proyecto se propone un estándar o marco de referencia a través del cual se deben implementar los análisis de seguridad a aplicaciones web. Empleando el estándar como marco de referencia es posible el desarrollo de pruebas de seguridad y validación que las vulnerabilidades propuestas a través del Top Ten no se encuentren en las aplicaciones web analizadas además de otros tipos de análisis contra otros tipos de ataques.

Proyecto WebScarab

Se trata del proyecto en torno a un framework a través del cual se pueden analizar aplicaciones que se comunican a través de los protocolos HTTP y HTTPS. Su funcionamiento es similar al de un sistemas proxy de interceptación, permitiendo observar, editar y reenviar solicitudes creadas a nivel del navegador antes de ser enviadas al servidor. Su potencial es muy grande ya que cumple una función similar a aplicaciones como Tamper Data, permitiendo realizar ataques de Cross-Site Request Forgery (CSRF).

Proyecto Secure Coding Practices

Por medio de un documento que aborda las buenas prácticas para desarrollo seguro, un equipo de investigación dentro del proyecto OWASP, propone lineamientos, recomendaciones y referencias para aplicar en procesos de desarrollo de software totalmente adaptable al proceso llevado a cabo dentro del ciclo de vida del software a construir o en proceso.

Proyecto Enterprise Security API (ESAPI)

Por medio de Top Ten se identificaron las vulnerabilidades que se encuentran presentes con mayor frecuencia en proyectos de software. Por medio de herramientas como WebScarab se hace explotación de estas vulnerabilidades. Haciendo revisión de las buenas prácticas de desarrollo de software seguro se cuentan con lineamientos para involucrar buenas prácticas al proceso de codificación. Ahora es necesario implementar controles para evitar que el software desarrollado sea vulnerable a ataques conocidos. Es aquí cuando podemos hablar del proyecto Enterprise Security API, mejor conocido como ESAPI.

Un grupo de expertos en seguridad y desarrollo, ha puesto a disposición de todos una API para canocalización y sanitización (no recibir o enviar información que contenga caracteres o información que se pueda traducir en ataques) de entradas y salidas de información desde y hacia nuestras aplicaciones, ofreciendo controles estandarizados para las vulnerabilidades presentadas en el OWASP Top Ten.

ESAPI se encuentra disponible para lenguajes como PHP, JAVA, Python, .NET, ASP, Ruby, entre otros, además de ofrecer documentación para su implementación a través del uso de patrones de software.

El uso de ESAPI como API de control de ataques ofrece múltiples beneficios a equipos de desarrollo:

Facilidades de implementación en diversos lenguajes y tecnologías
Capacidad de transformación de acuerdo a las necesidades cambiantes del área de seguridad y especialización de ataques, similar a la frase: “No reinventar la rueda, sólo optimizarla“
Ofrecer calidad en los procesos de desarrollo a través de el cumplimiento de buenas prácticas y estandarización de codificación.

Para finalizar esta revisión del proyecto OWASP, una invitación a participar en los capítulos locales en cada país o formar uno, de la misma forma, acercarse a este tipo de proyectos que similares a proyectos de software libre, aportan en gran medida a procesos de mejoramiento continuo y estandarización, algo necesario en el mundo empresarial actual y asociado a ese tema que tanto nos apasiona, la seguridad de la información.

Fuente | Hacking-MX

Seguridad VS Usabilidad: Mejor educar

2011-04-28T17:25:00.000+10:00

No es extraño para los usuarios de sistemas informáticos, especialmente los que manejan información que puede llegar a considerarse como privada o confidencial, cuenten con sistemas de autenticación más complejos, temas como doble validación (algo que se sabe y algo que se tiene) e incluso autenticación de tres factores (algo que se sabe, algo que se tiene y algo que se es).

Haciendo una retrospectiva a las razones de implementación de estos controles es necesario hablar de uno de los primeros controles y que a pesar del tiempo se niega a desaparecer, y que bueno que no lo haga. Con esto me refiero a los famosos sistemas “Captcha” o de validación de “humanidad”, por denominarlo de una forma más nemónica.

A través de sistemas de reconocimiento de símbolos, operaciones matemáticas e incluso, respuesta a preguntas, se busca determinar que quien llena un formulario o un sistema de registro de datos, sea un humano y no un robot o aplicación diseñada para generar spam. Sin embargo, el sistema de captcha ha tenido que evolucionar dado que las técnicas de sobrepaso de sus controles es fácilmente vulnerada por atacantes que a través de técnicas de análisis de imágenes, detección de bordes, e incluso bases de datos de captchas, traspasan estos controles. A pesar de ello, aún el clásico captcha de operaciones aritméticas escritas en letras resulta muy compleja de superar.

Pasamos ahora a otros controles más rigurosos, tales como los implementados a nivel de portales de banca o sistemas financieros. Debido a los constantes intentos de fraudes y de robo de información perpetrados contra estos sistemas de información, se habla de múltiples controles tales como teclados virtuales (para evadir posibles keyloggers), preguntas de seguridad (algo que se sabe), uso de tokens (algo que se tiene), además de bloqueos de sesión por tiempos cortos de inactividad, ofuscación d entre otros controles.

Desde estas perspectivas, los controles implementados harían en teoría este tipo de sistemas muy difíciles de vulnerar para posibles atacantes. Desafortunadamente, en la medida que se implementan más controles para dificultar las actividades delictivas a atacantes, se aumenta la dificultad de acceso para los usuarios.

La situación antes mencionada se traduce para el usuario en traumatismos para el manejo de cuentas de acceso a plataformas, exigencia de información que no resulta de fácil recordación, requerimientos técnicos a nivel de navegadores u otros componentes de software. Esto crea apatía hacia el uso de la tecnología que se traduce en difusión de comentarios que pueden afectar la imagen o reputación de una organización.

No es un mito o mentira el hablar de que a mayores controles de seguridad la usabilidad y accesibilidad se ve afectada a nivel de aplicaciones y sistemas de información. Tampoco es una mentira que actualmente nos encontramos en un estado de explotación tecnológica en el cual la clásica frase de “policías y ladrones” se traslada al mundo virtual, donde es más fácil delinquir al igual que esconderse.

Entonces ante lo anterior,

¿Qué se puede hacer por parte de quienes trabajamos en seguridad para hacer que los usuarios de estas tecnologías, entre los que nos incluimos también, encuentren en estos controles seguridad en vez de trabas o molestias en su acceso a la información?

A partir de la experiencia en temas de soporte, tratamiento y asesoramiento de usuarios y otros aspectos relacionados he encontrado y creo que más de una persona estará de acuerdo, la solución es crear conciencia, explicar los peligros existentes, si, es necesario primero crear una sensación de peligro por que existe y es real, los robos de datos de tarjetas de crédito no es un mito, el robo de cuentas de usuario de correo electrónico o redes sociales es una realidad que crece día a día por más que se implementen controles.

Es por ello que la labor de educar en la seguridad de la información permitirá a nuestros usuarios y a nosotros mismos, entender que estas medidas de seguridad buscan protegernos y al mismo tiempo, proteger nuestra información y activos, además de ofrecer una sensación de tranquilidad de saber que existen controles y mecanismos que hacen la tarea de delinquir más difícil a posibles atacantes o ladrones.

En conclusión, ante todo lo anterior, hacer de la educación en seguridad de la información una herramienta poderosa para hacer nuestro trabajo más sencillo pero más allá de eso, hacer la vida de las personas que emplean los sistemas, portales y aplicativos en general, más segura.

Fuente | Hacking-MX

Commonwealth Bank #Phishing #Australia

2010-09-20T09:58:00.000+10:00

September 17th, 2010, 19:54 GMT| By Lucian Constantin

Security researchers from Sophos warn of an unusual phishing attack targeting Commonwealth Bank customers, which makes use of a DNS hijacking trojan to steal login details.

The attack starts with spam emails abusing a real Commonwealth Bank email template, which includes the organization's logo, copyright notice and other identification elements.

The rogue messages come with a subject of “Update your Commonwealth Bank” and read: "This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity."

The recipients are told that they need to confirm certain information associated with their account in order to continue using it.

A "Verify My Account Information" link is included in the email, but surprisingly, it doesn't lead to a phishing website.

Instead, it points to a file called CommBank.scr hosted on an external .cx (Christmas Islands) domain, which if ran, installs a computer trojan.

This malware's primary purpose is to phish credentials from users and it achieves this through two files dropped in the \drives\etc folder.

One is called pic.url and leads to a Commonwealth Bank phishing page. The other is a HOSTS file, which contains rogue DNS entries for the bank's domains.

This will cause all requests for commbank.com or commbank.com.au made from an infected computer to be redirected to a phishing website, which mimics the bank's login system.

Ironically, the trojan installer is also infected with a virus called Sality, suggesting that the computer of whoever is behind the phishing attack is affected by this threat.

"[…] It’s unlikely this is a deliberate measure, as we’ve seen uninfected variants of this phishing Trojan in the past (which we detect as Mal/RarHosts-A), and anyway the Sality doesn’t so much hide the Trojan as paint it in bright colours, making it even easier to spot and to block," explained Richard Cohen, a malware researcher at Sophos.

Follow the editor on Twitter @lconstantin

Gone #Phishing and your the fish!

2010-09-09T11:17:00.002+10:00

Believe it or not, there are rascals inhabiting this very planet, their consequence emanates from under the woodwork everywhere, and arrives without warning at your inbox.

These communiqués, in the form of emails, are simply the result of people who have gone “phishing,” not to be confused with the term “gone fishing,” a practice no one seems to object to except maybe the fish. Still these rogues are after a fish, and the fish my friend is you!

Phishing employs both technical schemes and reliance on your lack of caution, to gain your personal identity and financial information data.

The way they hook their victim is through a cloaked link (the bait) leading their unsuspecting fish, that’s you, to a counterfeit website carefully designed to trick their catch (you) into divulging private financial data such as, credit card numbers, usernames, passwords, social security numbers, and so forth.

These traps are intermingled with everyday spam, or whatever passes as spam, littering your inbox. In reality, ordinary spam is merely bothersome at worst, requiring its disposal through excessive use of the delete key, yet phishing can be far more destructive.

These deceptive ploys fraught with harmful intentions are daily appearing in mail boxes everywhere, arriving from outside and inside the country highlighting the Internets lack of policing and our peril.

An email message can be a useful and handy tool, yet it’s tailor-made for this type of villain. The reminder you receive can appear as a genuine concern from a business you are doing commerce with, and have already entrusted your personal information.

The subject line of these bogus emails reads something like, “We suspect an unauthorized transaction on your account,” then sets the hook by declaring only “good intentions” by stating, “To ensure your account is not compromised, please click the link below and confirm your identity.”

Or, the phony email might assert that, “During our regular verification of accounts we couldn’t verify your information.” This phrase is calculated to put you into a panic, then comes the bait, please click here to update and verify your information.” And, if you do, they win!

And yes, I am not too proud to admit a close friend of mine, in his newbie days, fell prey to this blatant deception. Come to think of it, his name and description is curiously the same as mine. Oh well, I know it couldn’t have been me, as I wouldn’t fall for such a ruse. Then again!

Following this incident, I have developed a simple rule, I never respond through any email allegedly from anyone I’m doing business with, regardless of my lack of suspicion. Where I feel it’s of proper concern, I go directly through my browser to the site, enter and check it out.

This advice I offer you like a brother, never react directly with any message that poses a serious concern and provides a “convenient” link for you to deposit your critical information. It could be the most costly mistake of your life.

While there are sites where you can forward these poison pills, your only real protection, is you. Don’t rely on any company, notwithstanding their plausible concerns, for in the end, you retain the power of the delete button, use it wisely.

By the bye, phishing is often referred to as “spoofing,” what a harmless expression. As if, “sure I stole your identity, cleaned out your bank account, left you with huge financial losses to overcome, but hey, I was only spoofing!”

Source:

http://www.akscb.com/gone-phishing-and-your-the-fish.html

Gmail #phishing campaign is under way

2010-09-09T11:14:00.000+10:00

Fake notices inviting Gmail users to update their Google account information have lately been hitting inboxes around the world, warnsSunbelt.

Purportedly coming from the "Google Team", the rather legitimate-looking message tries to make the users download and open the attached Gmail_access.html file, which when opened in a browser presents a very realistic, but fake version of the Gmail login page:

If it looks realistic, it is because it loads certain graphic elements from the legitimate Gmail page, but a peek at the source code of the page reveals that the entered information gets sent to a script hosted on a domain registered in Serbia.

Source: http://www.net-security.org/secworld.php?id=9842

ArcSight up for sale at $1.5 billion #SIEM

2010-08-30T09:08:00.000+10:00

Not going cheap

By John E Dunn
Techworld
Published: 16:23 GMT, 27 August 10

In an unusual move, security software company ArcSight has reportedly put itself up for sale with a $1.5 billion (£966 million) price tag believed possible. If correct – the report comes via the Wall Street Journal – the price would be a premium above the company’s current share price of $36, or less than a billion dollars market cap.

To put this into perspective, as recently as 25 August the company’s share price was trading at around $28, so it has already surged on the back of the story. The intrusion detection and Security Information and Event Management (SIEM) company raised $50 million during its IPO in February 2008 when the share price was set at $9.

The Wall Street Journal names HP, EMC, Oracle and CA as possible bidders, although that is pure speculation. There are only a handful of companies that could come close to meeting the price tag. Security companies are suddenly popular buys, possibly because they appear relatively cheap to larger companies gripped by the belief that security is one set of technologies that enterprise vendors can no longer afford to be without.

The tactic of ‘asking’ for bids looks unusual, possibly a sign that ArcSight believes it can get better offers with a little publicity. In fact, many companies tout themselves as open to bids before being sold.

Source: http://news.techworld.com/security/3237261/arcsight-up-for-sale-at-15-billion/

Cuidado con el #phishing

2010-08-14T12:25:00.000+10:00

Hace unos días recibí un correo electrónico de una entidad bancaria avisándome de que habían bloqueado mi cuenta. En cualquier otra circunstancia podría ser un motivo de alarma, si no fuera porque no tengo ninguna cuenta abierta en este banco.

Es muy común, cada vez más por cierto, recibir este tipo de mensajes, detrás es ellos lo que hay es una de las más extendidas estafas a través de Internet, lo que entendemos por phishing.

El funcionamiento es siempre el mismo. Se recibe un correo electrónico de una entidad bancaria, te avisan de que hay algún problema en la cuenta y de indican que pinches en un enlace que aparece en el mensaje y que, supuestamente, te envía a la página del banco o caja en cuestión.

Luego te debes introducir tu datos para solucionar el problema, la cuestión es que los datos que te solicitan incluyen información personal, de cuentas, de tarjetas, claves, etc.

Los estafadores, una vez que obtienen esos datos los utilizan para hacer operaciones en nuestro nombre, comprar con nuestras tarjetas o transferir nuestro dinero a otras cuentas.

Es muy importante tener esto en cuenta y no fiarse de este tipo de comunicaciones. Ningún banco va a solicitarnos nuestros datos a través de estos medios. En caso de recibir una comunicación como esta, mejor preguntar en nuestra oficina bancaria si hay algún problema.

En Yo llego a fin de mes | ¿Por qué tengo que meter mi PIN para pagar con tarjeta?
Imagen | DRB62

Reduccion del #Phishing

2010-08-14T12:21:00.000+10:00

Escrito por CSO el 11 • Agosto • 2010

Se mantiene la reducción en cuanto al tráfico de phishing iniciada el trimestre anterior. Así, en el pasado trimestre pasamos a porcentajes de 0.03 por ciento cuando veníamos de casi un punto porcentual. Este trimestre el tráfico de phishing se redujo de poco a poco, quedando en el 0.02 por ciento del tráfico total.

PayPal es el centro de la mayor parte de estos ataques, con un más que destacado 60.4 por ciento, seguida de eBay u HSBC con porcentajes del 9.3 y del 6.5 por ciento. En este apartado, Kaspersky destaca que se está produciendo un incremento significativo de los ataques de phishing en torno a las redes sociales, y así sitios como Facebook o MySpace aumentaron sus porcentajes. Junto a ellos sitios de juegos en línea como WoW y Zynga, o servicios de juegos como Steam van también al alza.

Aprueban reforma a Ley de Bancos

2010-08-14T04:41:00.002+10:00

Aprueban reforma a Ley de Bancos en primera discus...: "El artículo 12 de la normativa trata sobre las inhabilidades para ser promotores, accionistas principales, directores, administradores y con..."

Friends & Family I'm going to be a Dad.... #baby

2010-06-01T11:19:00.002+10:00

Enhorabuena.... Quiero compartir una noticia con todos Uds...

La decisión de ser padre es una de las cosas más importantes en la vida de una persona. Cualquiera que sea la edad del padre o su estado civil, seguramente afectará su vida en múltiples aspectos. La felicidad de ser padre por primera vez será una de las experiencias más enriquecedoras de toda mi vida.

La paternidad lleva las emociones a sus niveles más profundos, cuando escuche la noticia de que mi esposa estaba embarazada sentí placer, confianza y orgullo tanto como padre como también como hombre y siempre estaré en búsqueda de proyectos que estén relacionados con mi paternidad.

El Correo Electrónico De #Phishing Perfecto

2010-05-30T11:19:00.000+10:00

AMSTERDAM, 26 de Mayo, 2010 – Los errores de seguridad en redes sociales en línea permiten el robo de identidad y alimentan las bases de datos de los spammers.

¿Ha recibido ya propaganda sobre pastillas de Viagra proveniente de sus amigos en Myspace? ¿Le han informado también a través del facebook que ha heredado una gran cantidad de dinero del recientemente fallecido Primer Ministro de África Central? Si este es el caso, la probabilidad es que usted sea el afortunado entre 1/300 personas que han sido expuestas a errores de seguridad en redes sociales en línea.

El proveedor de seguridad de correos electrónicos holandés SpamExperts investigó recientemente la extensión en la que los spammers usan en realidad las redes sociales en línea como facebook, twitter, Myspace y similares, con el fin de apuntar a miembros de estas redes para el envío de spam. Una falla de seguridad conocida, por ejemplo, es que a pesar de que los usuarios habían marcado sus fechas de nacimiento como ‘información privada’, los phishers fueron capaces de verlas mediante el envió de un enlace especial a los usuarios que no sospechaban nada.

El CTO de SpamExperts, van Donselaar, añade: “En redes en línea complejas como los sitios de redes sociales, siempre existirá el riesgo de que se escape información. Este peligro está en la naturaleza misma de estas redes de conectar personas y compartir información entre amigos y otros con la misma forma de pensar. Esto, sin embargo, también significa que ‘los spammers’ están escuchando y buscando formas de obtener ganancias de los usuarios que no son cuidadosos.”.

Recientemente, 1.5 millones de cuentas de facebook estuvieron disponibles para cualquiera que deseara adquirirlas a un precio de $25 – $45 por cada 1,000 cuentas. Aproximadamente, 700,000 se han vendido ya con el único propósito de obtener mediante email fraudulento (phishing) los datos privados de usuarios y conexiones de amigos. Luego, las direcciones de correos electrónicos encontrados vía las redes se revenderán en el mercado de spam puesto que son altamente precisas y tienen incluso nombres e información privada adjuntos a ellas. Esto hace extremadamente fácil para los spammers montar el email de embuste o phishing perfecto. Sólo un filtro de spam profesional será capaz de detectar fácilmente y poner estos mensajes no solicitados en cuarentena para prevenir al usuario del peligro involucrado.

El caso más famoso de un spammer atrapado en facebook fue el de un spammer con base en Montreal llamado Adam Guerbuez. Se le impuso una multa record de $873 millones en el 2008, luego de que pirateara y enviara mensajes sexualmente explícitos a millones de cuentas de usuarios en el sitio de red social.

Acerca de SpamExperts

SpamExperts es el principal proveedor de soluciones de seguridad de correos electrónicos de Ámsterdam. Desde el año 2004, SpamExperts ha estado incrementando su clientela en Europa, las Américas, África y Australia, y en el ínterin se ha convertido en el líder del mercado en un número de países. Todas las soluciones se desarrollan dentro de la empresa y se ofrecen vía SaaS o se instalan directamente en la infraestructura del cliente como un software administrado. El precio para filtrado de correo entrante comienza en USD 0.30/ Dominio/ Año, sin limitaciones de usuario o buzón de entradas. Los últimos suplementos al portafolio del producto son un servidor de filtro de correo saliente, así como un producto de archivo de correos.

–

FIN NOTA DE PRENSA

Fuente: http://tinyurl.com/24xpsl8

Tabnabbing; #phishing a través de las pestañas del navegador

2010-05-30T11:13:00.000+10:00

Acá les dejo un articulo extraido del La Comunidad DragonJAR

Tabnabbing; phishing a través de las pestañas del navegador

-----------------------------------------------------------

Aza Raskin ha desvelado un nuevo método de modificación de páginas en

pestañas del navegador (afecta a casi todos) que puede ser utilizado

para realizar ataques de phishing un poco más sofisticados. Está basado

en una técnica que permite modificar el aspecto de una página cuando no

tiene el "foco" de la pestaña del navegador. El ataque es ingenioso,

aunque tiene sus limitaciones.

Cómo funciona

Un usuario navega hacia la página del atacante, que no tiene por qué

simular ningún banco o página de login. Simplemente es una página más

equipada con un código JavaScript que hará el "truco". La víctima cambia

de pestaña (o de programa, lo importante es que pierda el foco) y sigue

con sus visitas cotidianas a otras páginas. Mientras, la web del

atacante cambia por completo gracias al JavaScript: el favicon, el

título, el cuerpo... todo excepto el dominio, lógicamente. La página

ahora podría parecerse a (por ejemplo) la web de login de Gmail. La

víctima, vuelve a la pestaña más tarde y piensa que ha caducado su

sesión. Introduce su contraseña y ésta viaja hacia el atacante.

Se supone que el usuario bajará la guardia puesto que, hasta ahora, se

supone que una pestaña no "muta" a nuestras espaldas y por tanto, si

aparece como "Gmail", por ejemplo, es que lo hemos visitado previamente.

Los usuarios que mantengan habitualmente muchas pestañas abiertas, saben

que es fácil olvidar qué se está visitando exactamente en cada momento.

Mejoras al ataque

Según el propio descubridor, se podría investigar en el historial de CSS

del navegador para averiguar qué páginas visita el usuario y mostrarse

como una de ellas dinámicamente, para hacer más efectivo el ataque.

Existen otros métodos para incluso averiguar en qué sitios está

realmente autenticado el usuario, con lo que la técnica resultaría más

efectiva.

Si el atacante consigue incrustar JavaScript en la web real que se

quiere falsificar (por ejemplo a través de publicidad contratada a

terceros) entonces la página cambiaría sobre el dominio real... y

entonces sí supondría un ataque "casi perfecto".

En directo

El descubridor, en su entrada

A New Type of Phishing Attack Aza on Design, ha

colgado una prueba de concepto. Si se visita esa web, se pasa a otra

pestaña durante 5 segundos (tiempo arbitrario impuesto por el

descubridor), y se vuelve, mostrará una imagen de Gmail que toma de

http://img.skitch.com/20100524-b639x...pch2387ene.png

superpuesta sobre la página. Cambiará el favicon y el título.

Obviamente, el ataque en este ejemplo está específicamente diseñado

para que sea "visible".

Qué aporta el ataque

Supone un método ingenioso y nuevo de intentar suplantar una página.

Funciona en Firefox, Opera y (de forma un poco irregular) en Internet

Explorer 8. Parece que Chrome no es vulnerable, aunque es posible que

aparezcan métodos para que sí lo sea.

Limitaciones

El ataque sigue confiando en que el usuario no tenga en cuenta la URL,

por tanto, cuando la víctima vuelve a la pestaña, estaría ante un caso

de phishing "tradicional" sino fuera porque la pestaña cambió "a sus

espaldas". Realmente pensamos que no será un ataque puesto en práctica

de forma masiva por los atacantes, aunque obviamente puede ser utilizado

selectivamente. La razón es que el phishing tradicional, burdo y sin

trucos, sigue funcionando y reportando importantes beneficios a quienes

lo ponen en práctica sin mayores complicaciones técnicas. Y ambos se

basan en que el usuario medio no aprovecha los beneficios de los

certificados ni se fija en las URLs donde introduce las contraseñas.

Un ataque "parecido" basado en la superposición de páginas en una web

conocida, fue descrito por Hispasec en mayo de 2005. En esa ocasión se

escribió "Nueva generación de phishing rompe todos los esquemas" porque

en estos casos, la URL del sitio falso (y el certificado) coincidía con

la real, esto es: realmente se estaba visitando la web real, y la

falsificada se "ponía" encima. Obviamente, este ataque necesitaba de una

vulnerabilidad de Cross Site Scripting en la web original. Por desgracia

el XSS es el tipo de error más común en estos días, tanto en bancos como

en otras páginas importantes que trabajan con credenciales. A pesar de

lo efectivo del ataque, no se observaron ataques masivos basados en esa

técnica.

Mitigación

Para no sufrir el "tabnabbing", es necesario fijarse en las URLs antes

de introducir contraseñas, como siempre. Desactivar JavaScript para las

páginas en las que no se confíe, ya sea a través de la Zonas para

Internet Explorer o No-Script para Firefox.

Opina sobre esta noticia:

Hispasec - Seguridad Informática

Más información:

A New Type of Phishing Attack

A New Type of Phishing Attack Aza on Design

Nueva generación de phishing rompe todos los esquemas

www.hispasec.com/unaaldia/2406

Fuente: http://tinyurl.com/282xlj4

SSH tunnel with #PuTTY

2010-05-27T00:43:00.001+10:00

What follow is how to set up as SSH tunnel using PuTTY with the MySQL port (3306) forwarded as an example. After completing this how-to you'll have port 3306 on your local machine listening and forwarding to your remote server's localhost on port 3306. Thus effectively you can connect to the remote server's MySQL database as though it were running on your local box.

Prerequisites

This how-to assumes your MySQL installation has enabled listening to a TCP/IP connection. Only listening on 127.0.0.1 is required (and the default as of MySQL 4.1). Although beyond the scope of this how-to, you can verify the server's listening by using mysql -h 127.0.0.1 rest of options on the server. Look for bind-address = 127.0.0.1 and skip-networking = 0 in your /etc/mysql/my.cnf. Also, a trouble-shooting guide.

To achieve the same with PostgreSQL simply use PostgreSQL's default port, 5432. psql -h 127.0.0.1 rest of options to test;/etc/postgresql/pg_hba.conf and the manual as pointers for configuration.

Set up the tunnel

Create a session in PuTTY and then select the Tunnels tab in the SSH section. In the Source port text box enter 3306. This is the port PuTTY will listen on on your local machine. It can be any standard Windows-permitted port. In the Destination field immediately below Source port enter 127.0.0.1:3306. This means, from the server, forward the connection to IP 127.0.0.1 port 3306. MySQL by default listens on port 3306 and we're connecting directly back to the server itself, i.e. 127.0.0.1. Another common scenario is to connect with PuTTY to an outward-facing firewall and then your Destination might be the private IP address of the database server.

Add the tunnel

Click the Add button and the screen should look like this...

Save the session

Unfortunately PuTTY does not provide a handy ubiquitous Save button on all tabs so you have to return to the Session tab and click Save...

Open the session

Click Open (or press Enter), login, and enjoy!

Here for reference is an example connection using MySQL Adminstrator going to localhost: note the Server Host address of 127.0.0.1 which will be transparently forwarded.

Source: http://realprogrammers.com/how_to/set_up_an_ssh_tunnel_with_putty.html

Robo de información, una amenaza en la red: #phishing

2010-05-26T23:42:00.001+10:00

13 Abril 2010

Una de las principales amenazas en la red para 2010 será el robo de información mediante el envío de un correo electrónico que de forma fraudulenta asegura provenir de una organización real y legal.

Phishing ya conocido en la red, evoluciona con ciertos cambios.Siempre ha estado dirigido a la industria financiera, pero algunas agresiones de Phishing actuales van enfocadas a inicios de sesión o contraseñas. El hacker se hace pasar por una entidad gubernamental y atrae a la víctima para que de datos presonales. El 60% de estos correos se hace pasar por instituciones financieras mientras que el 20% lo hace como una organización del gobierno.

IBM dió a conocer un reporte de riesgos, aportando datos sobre cómo los hackers intentan obtener información para conseguir dinero de forma ilegal. El estudio indica el aumento de estas acciones ilícitas en la segunda mitad de 2.009 y la amenaza que supone para 2010. También han cambiado los países en los que era más frecuente el Phishing, antes eran España, Italia y Corea del Sur, ahora aparecen Brasil, Estados Unidos y Rusia como primeros en la lista.

IBM aporta reportes con conclusiones y datos de sumo interés para la seguridad en la red: han disminuido las vulnerabilidades críticas y elevadas sin parches; los enlaces maliciosos han aumentado considerablemente; los hacker siguen teniendo éxito en hospedar webs maliciosas; los ataques con ofuscación siguen en ascenso. Hay que tomar medidas de precaución en Internet en todos los ámbitos, empresariales y personales.

Imagen sujeta a licencia CC. IBM BB.AA.

¿Su cuenta de #Blogger esta por ser suspendida?

2010-05-26T23:42:00.000+10:00

Cuando recibimos en nuestro correo un mensaje cuyo título es Su cuenta de Blogger esta por ser suspendida, aún cuando sepamos que ese no el modo en que Blogger nos comunica algo por muy dramático que sea, uno no puede dejar de sentirse ... bueno,preocupado

si siempre tenemos la precaución de leer el enlace de los mensajes antes de hacer click, cosa que se puede hacer poniendo el puntero del ratón encima y mirando lo que dice el navegador en la barra de estado. En este caso, algo así:

Parece que viene de blogspot pero no; el dominio no es eso que aparece inmediatamente después de http:// o www. sino eso que aparece justo antes del llamado Top Level Domain (org, edu, gov, com, info, net) y en este caso, la extensión es tc pero puede ser cualquier otra porque al parece, lo que sobran son letras y ladrones.

http://blogspot-id3849402.sv.tc/?upgrade=true&id=439288

Bueno, tampoco es necesario ser un genio para ver en el detalle del mail que este fue enviado por algo o alguien llamado pompeya.dattaweb.com que obviamente, no es Blogger ni Google ni nada semejante pero ¿cuántas veces hacemos eso?

Sea como sea, al recibir el mensaje, lo que se debe hacer es denunciarlo, insultar un poco y luego, borrarlo de un plumazo.

Si prosiguieramos con el mail recibido, iríamos a parar a la pagina de captura de datos:

con una copia exacta de la página de inicio de Blogger que en realidad, es un IFRAME de este dominio:

http://conexionesvhs.com/

que es el objetivo del autor del phishing... Mucho cuidado con entrar datos en ninguna parte !!!

Fuente: http://vagabundia.blogspot.com/2010/04/su-cuenta-de-blogger-esta-por-ser.html

INTELLINX HAS HOW MANY CUSTOMERS? #AntiFraud

2010-05-26T23:31:00.000+10:00

Intellinx Ltd., a pioneer of end-user behavior tracking solutions for fraud detection and regulatory compliance, today announces its release of Intellinx zWatch for IBM System z. The new version allows organizations to track all business transactions performed on the mainframe, generate a detailed audit trail and detect suspicious activity in real-time.

"Intellinx creates a forensic database that can be used for detecting and preventing fraud and data leakage and for managing investigations," says Jim Porell, IBM Distinguished Engineer and Security Architect for IBM System z software. "It has proven to be complimentary with other compliance related tools, such as IBM's Tivoli Compliance Insight Manager, to dramatically reduce the incidents of fraud within a business. The zWatch product, when used with the existing Intellinx offerings provides a cross platform enterprise hub for managing forensics and fraud that can reduce deployment costs while raising the overall value of the offerings."

Financial, government and healthcare enterprises worldwide utilize Intellinx to hold their end-users accountable for every action performed. The system obtains a detailed forensic audit trail of the activities of all end-user types, including business users and privileged IT users, as well as partners and customers who access the corporate systems through the web or in other ways. All access to corporate data is recorded and is available for playback, including update and read-only transactions. The Intellinx audit trail enables compliance with government regulations, such as FACTA Identity Theft Red-Flags, PCI-DSS, Sarbanes-Oxley, Basel II, GLBA and HIPAA.

Equifax Inc., a global leader of information solutions (NYSE: EFX) deployed Intellinx last year to help track end-users activity in its core business applications.

"Information security is a cornerstone of our business and, as a company, we are committed to placing the highest standards on data protection," says Tony Spinelli, Equifax Chief Security and Compliance Officer "Intellinx enables us to enhance our security monitoring capability by providing a reporting platform that allows our fraud investigators to visually replay screen data of both current and historical transactions and receive real-time alerts on suspicious events."

"IBM mainframe is still the world's most popular platform for running large scale mission-critical applications" says Orna Mintz-Dov, CEO of Intellinx. "We are excited to deliver, with IBM as an Advanced Business Partner, a solution for the growing need for embedded auditing function within the mainframe."

zWatch expands the Intellinx enterprise level solution for detecting and preventing fraud and information leakage. The new version can be combined with the existing Intellinx non-invasive version which runs on Windows, UNIX or Linux machines and tracks user and business activity on IBM System z mainframes, i5/OS, Web, Client/Server, Databases and other platforms. zWatch runs natively on the mainframe, sniffing all inbound and outbound network transmissions and recording all end-user screens and keystrokes as well as application transactions. It profiles user and account activity and generates alerts on anomalies in real-time.

zWatch has been tested extensively and has proved to impose almost no impact on workloads since it runs as a Java application on the System z Application Assist Processor (zAAP) processor, a specialty engine designed exclusively to operate asynchronously with general purpose processors minimizing any burden to other mainframe workloads. The Intellinx patent-pending technology captures the activity of all mainframe users 24X7, yet has minor impact on disk space requirements as it stores the recorded data in highly condensed format. zWatch is the only solution on the market today which can monitor encrypted mainframe traffic including VPN encryption.

zWatch provides a one of a kind visual replay of user activities -- screen-by-screen and keystroke-by-keystroke. The system provides Google-like search of screen content stored by the system, enabling security officers and internal auditors to search, for example for all users who accessed a specific customer account and replay the specific user activity.

The implementation process is very short (typically just a few hours), as the system does not require any changes to any of the organization's IT infrastructure or application code.

About Intellinx Ltd.

Intellinx Ltd. is a pioneer in end-user behavior tracking solutions for combating fraud and for regulatory compliance. By providing the tools to detect and prevent fraud attempts and information leakage, Intellinx enables organizations to hold end-users accountable for their actions, while complying with government regulations including FACTA Identity Theft Red-Flags, PCI-DSS, GLBA, HIPAA, Sarbanes-Oxley and Basel II. Intellinx Ltd. products are sold and supported directly by the company, its US-based subsidiary Intellinx Software, Inc., as well as through its worldwide network of distributors and partners in North America, Latin America, Europe, South Africa, and Asia-Pacific. The Intellinx customer base includes large financial, healthcare and government organizations around the world. For more information about Intellinx Ltd., please visit www.intellinx-sw.com .

Author Information

Hagai Schaffer

Intellinx Ltd.

http://www.intellinx-sw.com

Could A Criminal #Hack Your Car's Computer?

2010-05-25T02:13:00.000+10:00

by David Teeghman
Fri May 21, 2010 09:03 AM ET

Computer criminals used to focus on hacking into desktop and laptop computers. However, their next target may not be in your house, but in your garage: your car.

Researchers at the Center for Automotive Embedded Systems Security have found that the internal computer systems in today’s vehicles are susceptible to hackers’ attacks. Without any special knowledge about the cars, researchers were able to take control of the door locks, disable the brakes and even stop its engine, among other things.

Today’s cars are more dependent than ever on computers to perform basic functions, they do everything from wipe the windshield to maintain tire pressure. Researchers say the typical luxury sedan just rolling off the assembly line has about 100 megabytes of code to control 50 to 70 computers inside the car. Some luxury cars have 100 million lines of software code, compared to only 1.7 million lines on a U.S. Air Force jet fighter.

The good news is that a car’s computers are usually under the dashboard, so a hacker would have to break into the car manually in order to get anywhere near them. (Unless you are Yves Behar, and in that case, you WANT people to hack your car.)

Hackers might not be willing to go to such lengths to take control of a car, but a skilled computer criminal (which may be a better description, since not all hackers are criminals) can still compromise a car’s computer system remotely by sneaking in through the car’s wireless entry points.

Those wireless entry points include satellite radios and automatic crash-response systems, and the number of wireless connections to a car’s computer system are rapidly expanding, with the advent of 4G, dashboard Internet services and vehicle-to-vehicle (V2V) communications.

Once a hacker is inside the car’s internal network, there are few defenses. Electronic connections between components are linked for safety reasons. For example, car doors pop open when a airbags are activated. But that connection makes it easier for a hacker to make his way from one computer to the next.

Researchers say that as they learn more about the threats, their ability to fight hackers will improve. But for now, your car may be vulnerable crimes mainly associated with the Internet.

Source: http://news.discovery.com/tech/could-a-criminal-hack-your-cars-computer.html

Olvida las cookies, llegan los ‘Fingerprints’

2010-05-20T00:50:00.000+10:00

Los resultados de una reciente investigación ponen de manifiesto que los usuarios son menos anónimos de lo que se cree.

Publicado por Rosalía Arroyo

el 19 de Mayo de 2010

Incluso sin las cookies, navegadores como Internet Explorer o Firefox, dan a los sites suficiente información como para tener una imagen de sus visitantes el 94% del tiempo. Al menos es lo que se desprende de una investigación realizada hace unos meses por la Electronic Frontier Foundation, o EFF.
La investigación, según esta organización, cuantifica lo que muchos expertos en seguridad saben desde hace años. Peter Eckersley, encargado de la investigación descubrió que la información sobre la configuración del PC del usuario –los datos sobre el tipo de navegador, sistema operativo, plugins e incluso las fuentes instaladas, son recogidos por los sitios web para crear una ficha de la mayoría de sus usuarios, lo que significa que los internautas son menos anónimos de lo que creen. Los expertos aseguran que incluso cuando se desactivan o eliminan las cookies y se utiliza un proxy para esconder la IP, todavía se puede rastrear al usuario.
Realmente los datos no identifican a los internautas, pero crea una ‘fingerprint’, una huella digital, que se puede utilizar para identificar al usuario cuando visita otras páginas web.
Utilizando JavaScript, las páginas web son capaces de investigar los ordenadores y conocer un montón de cosas sobre ellos, y la navegación segura que ofrecen algunos navegadores no es garantía suficiente en la mayoría de los casos. De hecho, existen algunas compañías que han empezado a ofrecer soluciones a estos casos que permiten hacer el mismo seguimiento a los usuarios esquivos. Nombre como 41st Parameter, ThreatMetrix o Iovation son comunes en entornos de banca electronic o e-commerce.

#PCI Compliance Does Not Equal #Security

2010-05-19T02:50:00.000+10:00

By Danny Lieberman, Security Expert and Founder of Software Associates

I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled Is Compliance is the New Security Standard.

Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights toprevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.

The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort “security”.

This is an interesting notion – although perhaps “placebo security” might be a cheaper approach.

Compliance is not equivalent to security for several fundamental reasons.

Let’s examine this curious notion, using PCI DSS 1.2 as a generic example of a regulatory compliance standard that is used to protect payment card numbers:

Filling out a form or having an auditor check off a list is not logically equivalent to installing and validating security countermeasures. A threat modeling exercise is stronger than filling out a form or auditing controls – it’s significant that threat modeling is not even mentioned by PCI DSS, despite the ROI in think time.
Although PCI DSS 1.2 is better than previous versions – it still lags the curve of typical data security threats – which means that even if a business implements all the controls – they are probably still vulnerable.
PCI DSS was designed by the card associations – there is no way that any blanket standard will fit the needs of a particular business – anymore than a size 38 regular suit will fit a 5′ 7″ man who weighs 120 kg and wrestles professionally.
PCI DSS talks about controls with absolutely no context of value at risk. A retailer selling diamond rings on-line, may self-comply as a Level 4 merchant but in fact have more value at risk than then the payment processor service provider he uses. (See my previous post on Small merchants at risk from fraudulent transactions )
PCI DSS strives to ensure continued compliance to their (albeit flawed) standard with quarterly (for Level 1) and yearly (for everyone else) audits. The only problem with this is that a lot of things can happen in 3 months (and certainly in a year). The automated scanning that many Level 2-4 merchants do is essentially worthless but more importantly – the threat scenarios shift quickly these days – especially when you take into account employees and contractors who as people are by definition, unpredictable.
PCI DSS 1.2 mandates security controls for untrusted networks and external attacks. The phrases “trusted insider” or “business partner” are not mentioned once in the standard. This is absurd, since a significant percentage of the customer data breaches in the past few years involved trusted insiders and business partners. A card processor can be 100 percent compliant but because they have a Mafia sleeper working in IT – they could be regularly leaking credit card numbers. This is not a theoretical threat.
Finally – PCI DSS is a standard for whom? It’s a standard to help the card associations protect their supply chain. It is not a policy used by the management of a company in order to improve customer service and grow sales volume.

To summarize:

PCI DSS is a standard for the card associations not for your business, nor for your customers.
As a security standard it is better than none at all, but leaves much to be desired because it is not oriented towards the business and consumer protection

Source: http://alturl.com/crs7

Is #Information Protection Even Possible?

2010-05-19T02:46:00.000+10:00

December 17, 2009 by Danny Lieberman, Security Expert and Founder of Software Associates

A Few Months ago I saw an article inComputerWeekly that asked – Is data loss prevention possible?
“Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occurring is through a couple of fundamental controls, namely 1. Reduce and limit access to data 2. Control the “copy-ability” of data…”
I think that a more relevant question is “Is information protection possible?”
The author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data. However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.
Companies already manage access and control “copy-ability”. This is not new, nor is it effective against the threat of a major data loss event.
Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.
Controlling access and copy-ability in the service of business objectives is precisely the objective of these systems.
If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.
If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection.
DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.
However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford.
The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he or she wants.
We need information protection, not copy protection; and in a way and at a cost that is a good fit for the business.
Information protection is possible by taking a value-based approach that integrates with the business operation.
Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like enterprise information protection fromVerdasys, agent DLP from Mcafee or a gateway DLP solution from Fidelis Security.

Source: http://alturl.com/ccah

Taking CreditCard #Security Seriously

2010-05-19T02:24:00.000+10:00

by David F. Carr, 05.17.10, 06:00 PM EDT

Small businesses should not expect to fly under the radar forever.

The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I'm talking about lying and praying.

In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they're doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That's where the lying comes in. It's not so hard to check off all the right answers ("Sure, I review my e-commerce server logs on a daily basis.") without actually making them true.

If you're lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars--enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren't even storing.

Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user "admin," password "admin." And so on. More specifically, you're responsible for protecting card holder data, and there's some data you're never supposed to store--like the full contents of a card's magnetic strip.

Many small businesses are still under the impression that the rules don't apply to them because they're too small, or because they don't conduct e-commerce. Actually, the rules apply to any business--and even any nonprofit--that takes credit card payments. You can look for ways to lighten the compliance burden, but you can't get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you're still supposed to be locking down your systems.

Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent theminimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, "a small business is more likely to be GONE," Chuvakin said. "Businesses that endanger their customers really do deserve to die."

If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all.

Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

Even if you're not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day's worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer's purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and "tokenization."

For example, payment processor First Data ( FDC - news -people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you're executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

"With this, the only time you need the true credit card number is when you do the authorization," says Craig Tieken, First Data vice president of merchant product management. "The merchant, in our opinion, no longer needs the card number." TransArmor is still in beta testing, scheduled for release in the summer of 2010.

David F. Carr is Forbes' columnist on technology for small to midsize businesses. Contact him at david@carrcommunications.com.

Source: http://alturl.com/wipe

Edades de las distros #Linux

2010-05-12T23:45:00.001+10:00

by alexsandovalm

He creado un gráfico comparativo del tiempo que llevan algunas distribuciones Linux, tomando como referencia las más visitadas en Distrowatch además de las respetables y veteranas Slackware y Red Hat.

El gráfico lo he creado en OpenOffice.org Calc. Los datos los he tomado de Wikipedia, y las edades están calculadas al año 2010.

Enlaces:

Conociendo a #Zeus

2010-05-12T23:33:00.000+10:00

Para las personas que no han oído hablar del troyano ZEUS, aquí les dejo esta información. El Troyano Zeus fue creado por el famoso hacker ruso llamado AZ, este hacker tenía como objetivo cambiar su viejo coche por uno último modelo y empezó a crear al troyano, logrando su objetivo mediante la venta de licencias del programa. Muchas de las mafias y compradores de este troyano se han hecho millonarios también, pues la funcionalidad del troyano es la de robar datos de acceso a cuentas bancarias online o a sitios transaccionales.

Por decirlo de una manera más clara, Zeus es el terror de las transacciones en línea y aunque tiene unas características especiales que lo hacen indetectable ante la gran mayoría de antivirus, su fortaleza radica en el ataque MAN IN THE BROWSER es decir a diferencia del MAN IN THE MIDDLE este logra meterse directamente en el navegador de la víctima y recolectar la información que requiere para realizar el fraude, no se trata de una página falsa como en el ataque de PHISHING simplemente agrega a la página original de la entidad Financiera a la que desea afectar, nuevos campos para que sean diligenciados por la victima, esto lo puede hacer debido a la infección que realiza del sistema operativo y del navegador.

Otro aspecto que me pareció interesante es la forma en la que se infecta la víctima. Esto lo realizan mediante la visita a una página WEB y la víctima ni siquiera nota que ha sido infectado.

Ahora bien para que Zeus opere veamos la anatomía básica de un ataque (TODO ES DE CARÁCTER EDUCATIVO Y NO DEBE SER USADO PARA CAUSAR DAÑO).

Debido a que este tema es delicado incluso es investigado por el FBI y por varias autoridades se reservaron algunos detalles técnicos y profundidad en el tema, a continuación los pasos básicos del ataque:

Comprar las herramientas necesarias para el ataque y determinar la página que se desea

infectar :

Compra en foros de cybercriminales los programas ZEUS, MPACK u otro PACK de infección.
Compra de Hosting para el control remoto de las maquinas infectadas.
Compra de Hosting para la colocación del paquete que infecta.
Selección de la página WEB que se desea, sirva como fuente de infección para la víctima, esta debe ser una página muy visitada para tener mayor espectro de difusión del troyano.s herramientas necesarias para el ataque y determinar la página que se desea infectar :

Una vez se cuenta con la información anterior se procede con la infección de la página que va ser utilizada para propagar el troyano.
El troyano se configura para atacar a los diferentes sitios online (bancos, paypal, amazon, etc) que se desean, colocando las direcciones WEB respectivas.
La víctima visita el sitio infectado, se infecta y no es detectado por el antivirus.
El atacante recibe el reporte de que la victima ha sido infectada y procede con el control total de la máquina, reconfigura el troyano según lo considere o simplemente espera.
La víctima visita su entidad financiera y en el navegador aparecen campos nuevos que le solicitan información adicional, la cual al ser digitada por la víctima es remitida al centro del control o web site definido por el atacante, esto puede ser incluso en línea con alertas de tal modo que se pueden robar también códigos OTP (one time password).
El atacante usa la información recolectada para cometerle fraude a la víctima.

Autor:Ing. Esp. Jorge Mario Rodríguez F, CISSP – CISM - CHFI

Are Physical #Attacks On POS PIN Pads Rising?

2010-04-23T01:13:00.000+10:00

Written by Evan Schuman

April 21st, 2010

One of the oldest tenets in security is that professional thieves will always attack the perceived weak point of security. A burglar will hit the back door until it’s reinforced with multiple deadbolts and then he’ll turn to the window. If that’s replaced with bullet-proof glass with bars in front, he’ll ring the doorbell. If every door and window is perfectly protected, he’ll sledgehammer through the wall.

This reality is why we’re seeing a sharp increase in reported thefts of PIN pad units. Substantial efforts in recent years to protect the data within a split second of a card being swiped have done little beyond making PIN pads the victim of physical attacks. Units are replaced either with a skimmer attached or by a clone of the full device.
The attacks require more courage and brawn than a typical cyberthief displays. (Although with cyberthief extraordinaire Albert Gonzalez’s claims that he regularly performed 5,000 sit-ups per session, maybe he’d have been an exception.)
As BankInfoSecurity reported on Monday (April 19), an attack on Hancock Fabrics is an ideal example of this PIN pad trend. The chain confirmed that, last summer, “PIN pad units at a limited number of Hancock Fabrics stores were stolen and replaced with visually identical, but fraudulent, PIN pad units.”
The problem with Hancock’s statement is the four steps CEO Jane Aggers said the chain is taking to correct the issue. First, “upgrading the PIN pad units at the point of sale in all of our stores with new PIN pad units that were designed to meet the toughest security requirements.” Second, “working with forensic investigators to analyze the extent of any unauthorized access to customer information and to identify and address any issues that have been identified.” Third, “installing automated systems to monitor each of the PIN pad units daily to look for suspicious activity.” And fourth, “implementing new store-wide policies with respect to daily inspection of the PIN pad units.”
Upgrading the PIN pad units is a fine way to go. But anything short of soldering them to the wall and encasing the units with bullet-proof glass won’t address physical attacks. Although working with forensic investigators is a great thing, it won’t prevent similar attacks from happening again.
The “automated systems” that will “look for suspicious activity” sound an awful lot like video cameras, which are fine but also easily disabled. “Daily inspection” points sound like a good idea, but it’s something that will likely be relaxed within two weeks of being launched.
How about automating some of these tasks?
Or what about discreetly placing RFID tags in multiple locations around the POS area. They would constantly ping each other and loudly alert the store whenever the distance between any two tagged devices changes. The new lookalike devices would be easily detected, unless the thieves are able to remove the RFID tag and place it in the same place on the new unit.
That’s very difficult to do in a quick swap. Also, that tag can be affixed in such a way as to break the main device if it’s forcibly removed. If the units are working properly, a change in location would be detected the instant any tampering begins.
As for a skimmer being attached, perhaps a very sensitive weight verification mechanism could flag any devices that seem to gain a little mass overnight. (Good idea for PIN pads. Bad idea for columnists.)
Posted in IT Strategy/Industry, In-Store, Payment Systems, Security/Fraud

Elementos de Seguridad y Phishing Bancario

2010-04-22T05:24:00.002+10:00

En el pasado ya se ha hablado en este blog sobre cómo protegerse del “phishing”, en especial del phishing bancario. Recientemente el proveedor de alojamiento web Arsys ha creado una página web con un sencillo test para aprender a identificar los elementos de seguridad de un sitio web. La dirección de esta página web es www.pondriaaquisusdatos.es.

Cabe decir que el hecho de que un sitio web no tenga todos los elementos de sguridad no significa que automáticamente se trate de un caso de phishing, o de un sitio inseguro. Por supuesto, cuantos más elementos incluya un sitio, más confianza nos dará. También debemos recordar que en navegadores muy antiguos es posible que no aparezcan los elementos de seguridad más avanzados.

En general este test me parece útil para habituarse a buscar los elementos básicos de seguridad al entrar en páginas donde se solicitan nuestros datos. Encontrará más información sobre cómo protegerse del phishing bancario en este post.

Fuente: Cuentas y Depósitos Blog

HACKING AUSTRALIA

9 Reasons to Enforce Web Security within the Organization

User error is the biggest threat on the Internet

Twitter users beware: Homeland Security isn’t laughing

Monitoring social media makes sense — within reason

5 reasons to enforce email monitoring

Video: New Banking Trojan Caught Breaking CAPTCHA

Recommended Reads

Protecting Data Is Not a Black and White Issue

Phishing Attacks Can Happen On Your Mobile Phone Too

What is a phishing attack?

Seven Ways to Get Yourself Hacked

How to Boost Your Phishing Scam Detection Skills

What You Can Do

Check the URL

Always Go Direct

What Your Browser Can Do For You

Turn Off Form Autofill

Utilize Your Browser's Built-In Tools

Bump Up Your Phishing Protection with Web of Trust

Bait Your Users with the Simple Phishing Toolkit

Working with SPT

Could be Used for Good or Evil

Beware of fake Megaupload “comeback” phishing scams

Ensuring Online Banking Security

Email and web scams: How to help protect yourself

Our bad habits put us at risk

Stratfor reopens website

Man gets a year in prison for hacking, wiping medical competitor's computer

5 reasons cybersecurity matters to small businesses

5 top cyber threats for 2012

Biggest security threats in 2012 are cyber espionage, privacy violations

What to Do If Your Online Account's Been Hacked.

Stratfor Hack Shows Even Experts Use Awful Passwords

How strong is your privacy?

OLYMPIC TRUST LOTTERY Scam

New Image!!! / Nueva Imagen!!!

Windows 8 Has A Friendlier Blue Screen Of Death

Book: Backtrack 5 Wireless Pentesting

Android malware outsmarts bank security.

RedHat jakarta: Increased privileges

RedHat squid: Execute arbitrary code

RedHat httpd: Denial of service

Cisco Systems: Execute arbitrary code/commands

Anonymous dice que destruirá Facebook el 5 de noviembre

La niña de 10 años que da 'clases' a los hackers

Kaspersky disputes McAfee's Shady Rat report

New Desktop Blogging for Linux

Epsilon: Mayor robo de datos online de la historia

De la C, la E y la H

6 Easy Steps To Increase Your Privacy On Facebook

Six Really Easy Steps

Modifying Friend Lists

Limiting Who Sees What

Consejos para Navegar Seguro

Conoce OWASP, una excelente iniciativa de Seguridad

Proyecto Top Ten

Proyecto Application Security Verification Standard (ASVS)

Proyecto WebScarab

Proyecto Secure Coding Practices

Proyecto Enterprise Security API (ESAPI)

Seguridad VS Usabilidad: Mejor educar

Commonwealth Bank #Phishing #Australia

Gone #Phishing and your the fish!

Gmail #phishing campaign is under way

ArcSight up for sale at $1.5 billion #SIEM

Cuidado con el #phishing

Reduccion del #Phishing

Aprueban reforma a Ley de Bancos

Friends & Family I'm going to be a Dad.... #baby

El Correo Electrónico De #Phishing Perfecto

Tabnabbing; #phishing a través de las pestañas del navegador

SSH tunnel with #PuTTY

Prerequisites

Set up the tunnel

Add the tunnel

Save the session

Open the session

Robo de información, una amenaza en la red: #phishing

¿Su cuenta de #Blogger esta por ser suspendida?