Monday, 31 August 2015

Test Post from Information Security Newspaper

Test Post from Information Security Newspaper http://www.securitynewspaper.com

Malware infecting jailbroken iPhones stole 225,000 Apple account logins

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/09/01/malware-infecting-jailbroken-iphones-stole-225000-apple-account-logins/
TAGS: jailbreaking, malware, SQL-injection

A newly discovered malware family that preys on jailbroken iPhones has collected login credentials for more than 225,000 Apple accounts, making it one of the largest Apple account compromises to be caused by malware.


KeyRaider, as the malware family has been dubbed, is distributed through a third-party repository ofCydia, which markets itself as an alternative to Apple's official App Store. Malicious code surreptitiously included with Cydia apps is creating problems for people in China and at least 17 other countries, including France, Russia, Japan, and the UK. Not only has it pilfered account data for 225,941 Apple accounts, it has also disabled some infected phones until users pay a ransom, and it has made unauthorized charges against some victims' accounts.


Researchers with Palo Alto Networks worked with members of the Chinese iPhone community Weiphone after members found the unauthorized charges. In a blog post published Sunday, the Palo Alto Networks researchers wrote:


KeyRaider has successfully stolen over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. The malware uploads stolen data to its command and control (C2) server, which itself contains vulnerabilities that expose user information.


The purpose of this attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreak tweaks are software packages that allow users to perform actions that aren’t typically possible on iOS.


These two tweaks will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.


Some victims have reported that their stolen Apple accounts show abnormal app purchasing history and others state that their phones have been held for ransom.


As if the theft of the Apple account credentials wasn't bad enough, the data was uploaded to a website that contained a SQL-injection vulnerability. The flaw made it trivial for outsiders to access some of the records. Most of the e-mail addresses of affected uses suggest they are Chinese or possibly Chinese people living in other countries.


SQLThe KeyRaider discovery provides a cautionary tale about the risks of jailbreaking iPhones. Most security experts discourage the practice unless it's done by highly experienced people who know exactly what code they're using to circumvent Apple engineers' safeguards and, once that's done, what alternative apps they're installing.


Source:http://arstechnica.com/


Information Security Newspaper

Qué son y cómo configurar los DNS en Windows, OS X y Linux

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/importantes/que-son-y-como-configurar-los-dns-en-windows-os-x-y-linux/
TAGS: DNS, DNS en Linux

Los servidores DNS son los encargados de mover gran parte de las operaciones realizadas en Internet. Configurarlos bien puede suponer grandes ventajas.


Cuando pensamos en cómo funciona Internet nos imaginamos una gran red en la que se pasan millones de datos a velocidades de vértigo. Sí, más o menos es eso, pero hay ciertos sistemas más técnicos que tener en cuenta para que se pasen esos millones de datos a velocidades de vértigo.
Uno de ellos es el sistema de DNS, que resumiendo, es el encargado de hacer que tu ordenador entienda a qué página quieres dirigirte o por dónde quieres llegar a esa página en concreto. El sistema DNS se instala en servidores, hay muchos y a pesar de que tienes uno por defecto (que te lo ofrece tu proveedor de Internet), puedes cambiar tu servidor de DNS.
¿Qué son y qué hacen los servidores DNS?
Domain Name Service es el nombre completo del sistema DNS y como hemos indicado anteriormente son unos enormes servidores pertenecientes a empresas privadas o públicas. ¿Cómo funcionan exactamente los servidores DNS? Se dedican básicamente a traducir la dirección de una página web para que Internet la entienda. Por ejemplo, cuando escribimos malavida.com el DNS traduce eso a 92.192.108.161. Es la IP de la página web y los servidores DNS son los encargados de traducir las URLs en IPs y viceversa.
Generalmente cada operadora o proveedor de Internet tiene sus propios DNS y con ellos hace que tu conexión a Internet sea más sencilla. Pero casi siempre, al cambiarlos podemos mejorar nuestra velocidad de conexión, evitar la censura y un par de ventajas más que veremos a continuación.



Realmente todo tiene una IP en Internet. El servidor DNS también tiene su propia IP, por ejemplo si utilizas Movistar como proveedor de Internet seguramente el DNS al que estás conectado es 80.58.61.250 o si utilizas Orange el DNS que tienes configurado es 62.36.225.150. Aparte de las operadoras, también existen DNS públicos o gratuitos: OpenDNS, Arsys o incluso Google ofrecen DNS para los usuarios.


Como intermediario entre Internet y usuario, el DNS puede controlar parte de lo que navegas. Es decir, si por ejemplo el proveedor decide que no debes acceder a una página que vende drogas le ordenará al DNS que automáticamente bloquee todas las peticiones para ir a determinada página. Esto es un arma de doble filo, pues por un lado nos puede proteger de contenidos maliciosos pero por el otro puede bloquear páginas que no necesariamente son perjudiciales para el usuario, por ejemplo el bloqueo en España a Uber. Es aquí donde entra en acción OpenDNS o los DNS de Google, ya que evitan estos bloqueos inecesarios.



Cómo cambiar y configurar los DNS en tu ordenador


Por defecto tu ordenador está conectado a los DNS de la operadora que te ofrece acceso a Internet. Pero no estás obligado a usar estos DNS, sino que puedes cambiarlos manualmente. Obtienes varias ventajas al hacerlo:



  • Es posible que la velocidad o fiabilidad de tu conexión a Internet mejore, algunos DNS son más veloces que otros

  • Puedes protegerte contra ataques phishing o contenidos no deseados

  • Tienes acceso a contenidos bloqueados por geolocalización, por ejemplo un servicio que solo opere en Estados Unidos

Configurar los DNS en Windows


  1. Debemos acceder a la siguiente ventana: Panel de control > Redes e Internet > Centro de redes y recursos compartidos > Cambiar configuración del adaptador

  2. Elegimos el adaptador que estamos utilizando y pulsamos en Propiedades con clic derecho

  3. En Funciones de red > Protocolo de Internet versión 4 (TCP/IPv4) pulsamos en Propiedades

  4. Aquí es donde cambiamos el servidor de DNS preferido y el alternativo

Configurar los DNS en Linux


  1. Abrimos el Terminal y ejecutamos el siguiente comando

<code>


nano /etc/resolv.conf



  1. Buscamos la línea de código de nameserver y bajamos dos líneas los existentes para añadir dos nuevos

  2. Escribimos “nameserver 80.58.61.250”, sustituyendo 80.58.61.250 por la dirección del DNS que queramos configurar

  3. Con Ctrl+O guardamos los cambios efectuados

Configurar los DNS en OS X


[caption id="attachment_5847" align="alignnone" width="619"]Cambiar DNS en OS X Cambiar DNS en OS X[/caption]
  1. Nos dirigimos a Preferencias del sistema > Red > Avanzado…

  2. En la pestaña DNS pulsamos + para añadir direcciones DNS

  3. Añadimos los DNS que nos interese y guardamos los cambios

¿Qué servidor DNS debes configurarte?


Como en todo, depende de cada persona y trabajos que realiza. Normalmente si tu proveedor de Internet no te da problemas a la hora de navegar y tampoco bloquea ningún sitio al que te interese acceder, no hay razón para cambiarlos.


Sin embargo, hay diferentes servidores DNS que merecen la pena y no cuesta nada configurarlos.Personalmente te recomiendo los DNS de Google, son los más potentes y fiables y te ofrecen acceso internacional. No obstante también tienes los OpenDNS que son gratuitos y protegen de sitios no deseados.



  • DNS de Google: 8.8.8.8 y 8.8.4.4

  • DNS de OpenDNS: 208.67.222.222 y 208.67.220.220

Disponer de una conexión a Internet más segura y veloz es muy sencillo. Así que prueba  cambiar los DNS de tu ordenador por unos públicos y fiables. Desventajas realmente no existen y ganas en privacidad.


Fuente:http://www.malavida.com/


Noticias de seguridad informática

Un universitario se enfrenta a 10 años de prisión por crear malware para Android

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/malware-virus/un-universitario-se-enfrenta-a-10-anos-de-prision-por-crear-malware-para-android/
TAGS: android, Darkode, Malware

La creación y distribución de malware, y otro tipo de amenazas contra la seguridad informática están penadas por la Ley en muchos países. Un estudiante de la Universidad Carnegie Mellon, en Pensilvania, se enfrenta a 10 años de prisiónprecisamente por esto, y es que según él mismo ha reconocido, creó y distribuyó malware para Android. Concretamente, una aplicación capaz de controlar de forma remota el dispositivo móvil de otros usuarios.


Evidentemente, lo más probable es que no termine encerrado 10 años por el delito del que es culpable, y que él mismo ha reconocido. El estudiante universitario de tan solo 20 años, no obstante, sí tendrá que pagar con su libertad por haber infectado teléfonos inteligentes y tabletas Android con malware diseñado para atacar directamente contra la privacidad de sus usuarios. Según se descubre en el desarrollo de la condena, “el software Dendroid…”, por el que ha sido declarado el joven de 20 años, “…está diseñado para espiar mensajes, robar archivos, tomar fotografías…” todo ello de forma remota y contra una víctima.


Un universitario se enfrenta a 10 años de prisión por crear malware para Android

El joven vendía esta pieza de malware por 300 dólares a cada cliente a través del “mercado negro”, Darkode.


El software en cuestión, Dendroid, ha estado anunciándose en Darkode y algunos han tenido la oportunidad de comprarlo por 300 dólares, lo que su autor ha justificado alegando que le tomó más de un año en el diseño de las líneas de código. Por otra parte, el joven se planteó la subasta del código fuente, lo que habría permitido a otros consumidores el desarrollo de versiones modificadas de Dendroid. Todo esto, como ya sabemos, viene a raíz de la investigación que se ha abierto tras Darkode, donde se están destapando otros delitos similares contra la privacidad de usuarios en Internet.


Violar la privacidad de otros usuarios, como espiar el WhatsApp, está penado con cárcel.


El caso de este joven nos lleva a recordar que espiar el WhatsApp de otra persona está penado con cárcel, igual que lo está revisar sin autorización su correo electrónico, por ejemplo. Este tipo de malware, como ya hemos explicado, tenía la misión de violar la privacidad de los usuarios víctima, y por el módico precio de 300 dólares han podido ser atacados decenas de usuarios de Android.


Fuente:http://www.adslzone.net/


Noticias de seguridad informática

Hackers Linked to Russian Government Impersonate EFF Website to Spread Malware

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/31/hackers-linked-to-russian-government-impersonate-eff-website-to-spread-malware/
TAGS: EFF, Java, malware

The Electronic Frontier Foundation (EFF) has issued an alert, urging users to watch out for a spear phishing email campaign that's infecting victims with the Sednit malware.


This was brought to EFF's attention by Google's security team, after the electronicfrontierfoundation.org domain was flagged in one of their routine scans. The official EFF domain name is eff.org.



Spear phishing campaign leads to Sednit malware


Presenting an analysis of the attack, EFF's Cooper Quintin details how the recipients of the spear phishing emails are lured on a Web page that uses the electronicfrontierfoundation.org domain, which, unfortunately, was left unregistered by the organization. Both the emails and the domain use official EFF branding.


Hackers Linked to Russian Government Impersonate EFF Website to Spread Malware

Once on the hackers' domain, the user is automatically redirected to a page that uses a randomly generated URL, where a Java applet is loaded.


After the payload is delivered, the random URL is disabled, to hinder the efforts of security analysts.


This payload, once on the user's machine, uses a recently discovered Java zero-day exploit to load a second payload, a binary file which contains malicious code that operates in the same way as the recent Sednit malware used in Operation Pawn Storm attacks.


As Mr. Quintin explains, the payload "contains code to download a *nix compatible second stage binary if necessary, implying that this attack is able to potentially target Mac or Linux users," not just those on Windows.


EFF researchers were not able to officially identify it as Sednit, but the almost identical way in which it operates makes them believe it is.



Links to the Russian government


As previously investigated by Trend Micro researchers, Operation Pawn Storm seems to be the work of a hacking group closely affiliated with the Russian Government.


Previous victims of Operation Pawn Storm include Western financial institutions, NATO forces, the White House, the Polish government, and various Russian journalists, all critics of the Kremlin regime.


By targeting the EFF website, the hackers behind the recent phishing campaign are hoping to gather information on Russian-based dissidents that regularly visit the EFF website, known for exposing many of the government's abuses.


This information can then "mysteriously" make its way back to Russian authorities, which can then create a database of citizens with anti-government views.


Source:news.softpedia.com


Information Security Newspaper

Russian-speaking hackers breach 97 websites, many of them dating ones

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/31/russian-speaking-hackers-breach-97-websites-many-of-them-dating-ones/
TAGS: hackers, Russian

ussian-speaking hackers have breached 97 websites, mostly dating-related, and stolen login credentials, putting hundreds of thousands of users at risk.




Many of the websites are niche dating ones similar to Ashley Madison, according to a list compiled by Hold Security, a Wisconsin-based company that specializes in analyzing data breaches. A few are job-related sites.


Batches of stolen information were found on a server by the company’s analysts, said Alex Holden, Hold Security’s founder and CTO. The server, for some reason, was not password protected, allowing analysis of its contents, he said.


None of the dating sites are nearly as prominent as Ashley Madison, which saw sensitive company information, emails, internal documents and details of 30 million registered users released in a devastating data breach. Holden said this Russian-speaking group is not related to Impact Team, which claimed credit for the intrusion into Ashley Madison.


Russian-speaking hackers breach 97 websites, many of them dating ones

The information includes a list of websites and their software vulnerabilities, along with some notes written in Russian, said Holden, a native Russian speaker. All of the websites were breached since July 4 through about a week ago, he said.


IDG News Service has seen the full list but is not identifying the websites. Hold Security comes across such stolen data repositories frequently in their research, but it doesn’t have the resources to contact every company named.


In many instances, Holden said his analysts have confirmed the software vulnerabilities claimed by the hackers.


Many of the sites appear to have database flaws that if exploited give hackers the ability to access other information stored in the systems. Those vulnerabilities are known as SQL injection flaws.


The hackers essentially “are doing what security auditors would,” by externally probing websites for weaknesses, he said.


Holden said it doesn’t appear the hackers have tried to sell the data. What he’s found are large lists of email addresses and, for some sites, lists of unencrypted passwords.


Hold Security specializes in informing companies when their data turns up on offer in underground markets. Information related to some of Hold Security’s clients have turned up in this latest batch.


Companies are primarily concerned that their employees may use the same password to sign up for Web services they use at work, putting a company at risk.


Although security experts advise against it, many people re-use passwords across websites, which is risky if one gets compromised.


Holden said in the case of Ashley Madison, his clients were concerned if high-level employees or those with critical jobs were going to be distracted by the release.


It’s not clear what the hackers plan to do with this data. It doesn’t appear that they’ve stolen more sensitive data on registered users, as was the case with Ashley Madison, where sensitive profile information was dumped, including birth dates, dating preferences and GPS data.


“These hackers don’t know how to monetize the rest of the data, so they steal things that they can monetize,” Holden said.


Usernames and passwords are useful for spammers. The email addresses can also be used by miscreants to blackmail members of dating sites, Holden said.


Various reports stemming from the Ashley Madison leak have indicated some users have been targeted by extortion attempts over email.


Sometimes, hackers use this kind of data to threaten websites with distributed denial-of-service attacks, which can knock a website offline, in order to extract a ransom.


It doesn’t appear these hackers have the same agenda as the Impact Team, Holden said. Impact Team appeared to have a very personal agenda, frequently mentioning Avid Life Media’s former CEO, Noel Biderman, who left the company on Friday.


Source:http://www.computerworld.com/


Information Security Newspaper

ARRESTAN A SEIS PRESUNTOS RESPONSABLES DE LOS ATAQUES NAVIDEÑOS SOBRE PSN Y XBOX LIVE

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/hacking-incidentes/arrestan-a-seis-presuntos-responsables-de-los-ataques-navidenos-sobre-psn-y-xbox-live/
TAGS: lizard squad, PSN y Xbox Live

La navidad del año pasado se vio marcada de manera importante y muy negativa gracias a un ataque cibernético sobre la PlayStation Network y Xbox Live. Miembros del grupo de hackers llamado Lizard Squad, provocaron que estos dos servicios dejaran de funcionar durante la tarde del 24 de diciembre y todo el día de navidad de 2014, arruinando estas fiestas para muchos que pensaban estrenan un PS4 oXbox One. Luego de haber detenido a un par de los responsables, autoridades británicas han hecho más arrestos.


ARRESTED SIX ALLEGED PERPETRATORS OF CHRISTMAS ATTACKS ON PSN AND XBOX LIVE

De acuerdo con un reporte de Bloomberg, las investigaciones de la National Crime Agency del Reino Unido, llevaron a la aprensión de seis presuntos hackers que tuvieron que ver con las agresiones DDoS que dejaron inhabilitados a los servicios antes mencionados. Los detenidos son adolescentes de entre 15 y 18 años.


Por el momento, se desconoce la situación jurídica de los involucrados en todo este asunto, no obstante, vale la pena recordar que una de las personas que fue arrestada hace unos meses, alegó que la intención del ataque era la de demostrar que la seguridad de PSN y Xbox Live era muy floja, y que la información de los usuarios estaba comprometida.


Fuente:http://atomix.vg/


Noticias de seguridad informática

Google OnHub review—Google’s smart home Trojan horse is a $200 leap of faith

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/31/google-onhub-review-googles-smart-home-trojan-horse-is-a-200-leap-of-faith/
TAGS: home Trojan horse, OnHub, Wi-Fi

Google's OnHub is a bit of a mystery. Google shipped us this box—well, this cylinder—but it won't really talk about what's in it or why it exists. Today, it's a Wi-Fi router from Google; tomorrow it might be something totally different. But it's also a funny glowing cylinder with way too much processing power for its own good, a boatload of antennas, and an ever-present cloud connection to a Google update server so that it can evolve at will. OnHub is a tiny bundle of potential and no one really knows what it will turn into.


Still, you're paying $200 for a Wi-Fi router right now. That's not an unheard-of sum of money for the director of your home network, but the price certainly puts the OnHub in the high-end of the market. For that money, it has mostly the hardware you would expect: dual-band 2.4 and 5GHz 802.11ac Wi-Fi that goes up to 1900Mbps. The big downside is that you're stuck with only one LAN port instead of the usual four, and the typical router settings have been reduced from pages and pages of options to just a handful of tweaks. OnHub is much more than a router, though—or at least, it will be, someday. To us, this looks like Google's smart home Trojan horse.


Google OnHub review—Google’s smart home Trojan horse is a $200 leap of faith

Google's branding conventions give us some insight into its plans. This little cylinder is called "OnHub," but the smartphone app is just called "Google On." Also, on the underside of the OnHub, there's a label that reads "Built for Google On." If we want to start wildly speculating (and we do), we'd say that "Google On" is the name of Google's smart home platform, making "OnHub" the hub for all of your Google On stuff. "Built for Google On" would be the certification process that OEMs go through to ensure their products work with Google's smart home ecosystem.



The Hardware


This particular OnHub was built by TP-Link and is model "TGR1900." Google says it plans to "design new OnHub devices with other hardware partners in the future" and that an Asus model would be out later this year. We're not sure if they will all look alike or if everything will match this design.


OnHub is a 7.5-inch tall plastic cylinder with a 4.5-inch diameter. The cylinder tapers about a half inch on the way down, making it kind of look like a tall flower pot. OnHub has a solid inner cylinder surrounded by a hollow plastic shell, which serves no purpose other than to look pretty. For now the shell comes in blue and black, and Google says more personalization options will be available later.


At the top of the inner cylinder is a distinctive status light ring. It changes a few different colors: blue means OnHub is ready for setup, orange means something is wrong and to "check out the app for details," green means everything is up and running. Give the outer shell a twist and you can lift it off, revealing the port cluster at the bottom and exposing the vent-covered inner cylinder. There are no fans in the OnHub, so the inner cylinder is heavily ventilated.


The port selection is the big downside to the OnHub. There's only one gigabit LAN port, meaning you'll need a separate switch if you want to wire up more than one device. This is really only a downside for people with "medium" sized wired networks. With any other router having more than four wired devices means you would need a switch anyway. Besides the LAN port, there's the requisite power and WAN ports, along with a reset button and a USB 3.0 port. Like a lot of things on the OnHub, the USB port is mysterious and doesn't work right now. Will it be for NAS support? A debug mode? Only time will tell.


On the top of the OnHub are a bunch of ventilation holes, but one of the holes is not a hole. It's plugged up with what Google tells us is an ambient light sensor that will someday adjust the ring light based on the amount of lighting in the room. Right now it's not active.


OnHub also has a speaker—and not a tiny, quiet speaker, but a really loudspeaker. So far, we've only seen it used during setup.


We do know that this little router is packing a ton of processing horsepower. The OnHub is powered by a Qualcomm IPQ8064—a close cousin of the Snapdragon 600 (APQ8064). It's a dual core 1.4GHz SoC using the Krait 300 CPU architecture. The difference between the "AP" SoCs that usually ship in smartphones and the "IP" SoC here is the removal of smartphone-specific features like support for a display, camera, and cellular modem. Together with 1GB of RAM and 4GB of storage, the OnHub has stratospherically-high specs for a router.


Nmap’s OS detection guessed the OnHub to be running "Linux 3.2 - 3.19." OnHub's license page makes several mentions of Gentoo and Chrome OS. According to The Financial Times, OnHub was a project from the Chrome and Google Fiber teams, so it makes sense that they would use parts of Chrome OS. 


Source:http://arstechnica.com/



Information Security Newspaper

El FBI utilizaba páginas falsas para infectar los equipos de delincuentes con malware

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/seguridad-informatica/el-fbi-utilizaba-paginas-falsas-para-infectar-los-equipos-de-delincuentes-con-malware/
TAGS: FBI, Malware

De legalidad más que dudosa pero eficaces, o al menos esa es la impresión que generan desde el FBI en unas declaraciones que han realizado y en las que han reconocido que utilizaban sitios web falsos e infectados con malware que se distribuía entre los ciberdelincuentes y así obtener información relacionada con estos.


Tampoco han querido desde a agencia que se conozca toda la información relacionada, pero al menos se sabe que desde el año 2007 y al menos hasta el 2012 se ha utilizado esta técnica para perseguir a los ciberdelincuentes. Desde el grupo han confirmado que se trataba de un software multiplataforma disponible para Windows, Mac OS X, Linux, iOS y Android y que se descargaba de forma automática en el equipo al acceder el usuario a una determinada página infectada con este contenido.


El FBI utilizaba páginas falsas para infectar los equipos de delincuentes con malware

Una vez descargado el el ejecutable, la instalación era totalmente silenciosa y el usuario no se percataba de la existencia de esta a no ser que consultase los procesos que se encontraban en ejecución en el dispositivo o el listado de programas instalados en el sistema operativo.


Se trataba de un herramienta muy completa que permitía al FBI estar informado de la ubicación del usuario sospechoso y de mucha más información.



El FBI conocía muchos datos relacionados con el usuario


Además de su ubicación, estos eran capaces de conocer los datos de red relacionados con el equipo (ISP, Mac, dirección Ip pública) así como el contenido del equipo: todos los archivos, aplicaciones u otros equipos del mismo entorno de red.


Según ha manifestado el FBI, este malware ayudó en muchas ocasiones a atrapar delincuentes y evitar un gran número de atentados. Sin embargo, no todo el mundo lo ve de la misma forma.



Los colectivos de usuarios recelan de la privacidad


Tal y como suele ser habitual, los usuarios no están de acuerdo con las prácticas utilizadas y lejos de apoyar las soluciones adoptadas por el FBI recelan de ellas, acusando a la organización de espiar de forma deliberada a muchos usuarios, independientemente de la finalidad inicial de la herramienta.


Fuente:http://www.redeszone.net/


Noticias de seguridad informática

Ruskie ICS hacker drops nine holes in popular Siemens power plant kit

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/31/ruskie-ics-hacker-drops-nine-holes-in-popular-siemens-power-plant-kit/
TAGS: Ruskie ICS hacker

Ilya Karpov of Russian security outfit Positive Technologies has reported nine vulnerabilities in Siemens industrial control system kit used in critical operations from petrochemical labs and power plants up to the Large Hadron Collider.


The holes, now patched, also include two for Schneider Electric kit and cover a mix of remote and local exploits that can grant attackers easy and valuable system access.


The vulnerabilities (CVE-2015-2823) achieve a severity rating of 6.8 and allow remote net pests to authenticate using a password hash but not the associated password.


It affects a variety of specialist SIMATIC WinCC products including Runtime Professional, HMI Mobile Panels, and HMI Basic Panels.


WinCC is used across a large swath of industrial sectors under different conditions and security arrangements that impact vulnerabilities found in the kit.


The US computer emergency response team says the vulnerabilities include man-in-the-middle for attackers accessing the network path between Programmable Logic Controllers, and their communication partners, and a denial of service for bad guys inbetween a Human Machine Interface panel and a PLC.


Ruskie ICS hacker drops nine holes in popular Siemens power plant kit

"An attacker with medium skill level would be able to exploit these vulnerabilities [and] could conduct man-in-the-middle attacks, denial‑of‑ service attacks, and possibly authenticate themselves as valid users," the agency warns.


"ICS-CERT recommends that organisations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation."


The Positive Technology researchers are gurus in hacking industrial control and SCADA systems. Last year they discovered flaws in WinCC kit, also used in the Iran's Natanz nuclear plant targeted by Stuxnet and in monitoring systems for the Large Hadron Collider, that allowed industrial systems to be compromised.


Source:http://www.theregister.co.uk/


Information Security Newspaper

Sunday, 30 August 2015

¿Cómo usar Cycript para romper apps de iOS?

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/tecnologia/como-usar-cycript-para-romper-apps-de-ios/
TAGS: Hacking Ético en México, Seguridad en la Nube, seguridad informática

Acuerdo con los profesionales de empresa de seguridad informática, Cycript permite a los desarrolladores para explorar y modificar aplicaciones que se ejecutan en iOS o Mac OS X utilizando un híbrido de Objective-C ++ y la sintaxis de JavaScript a través de una consola interactiva que cuenta con resaltado de sintaxis. Escrito por Jay Freeman (Saurik) de Cydia, lo que hace es darnos una manera interactiva e inmediata para modificar los procesos que se ejecutan en iOS índico experto de seguridad en la nube.


Si hacemos SSH en un dispositivo iOS con cycript instalado, podemos ejecutarlo directamente desde el dispositivo. Esto inmediatamente nos da acceso a un entorno REPL configurado y estamos listos para jugar señaló Mike Stevens maestro de formación de hacking ético de la organización International Institute of Cyber Security. Es en este punto también podemos decidir cuál es el proceso para inyectar nuestras modificaciones en.


Usted puede inyectar en el proceso de Springboard. El Springboard ayuda a controlar todo, desde la pantalla de bloqueo para la aplicación de conmutación. Antes de usar Cycript y cambiar algo, tenemos que saber lo que queremos cambiar, su nombre y dónde se encuentra menciono experto de sistemas de seguridad en la nube icloud.


Hay varias maneras de encontrar algo que queremos cambiar usando cycript. Una forma es utilizar los header dumps que he mencionado antes de interactuar con las clases, métodos y variables directamente escribiendo sus nombres menciono el experto de empresa de seguridad informática . Otro método - útil si se está modificando una aplicación en lugar de Springboard - es llamar UIApp.keyWindow.recursiveDescription que imprimirá una descripción jerárquica de la configuración de la pantalla en este momento. Usted puede trabajar hacia atrás desde la parte inferior de esta descripción para encontrar finalmente la clase que usted desea cambiar.


¿Cómo usar Cycript para romper apps de iOS?

El método que utilizaremos es función integrada en cycript llamada choose. La función de choose busca en la memoria de proceso inyectado para cualquier clase que busca, y agarra todo como una matriz. Por ejemplo podemos pedir todas las instancias de la clase UILabel, suponiendo que nuestro mensaje No hay Notificaciones será un UILabel. Según Jim Taylor experto de seguridad en la nube que debido a la gran cantidad de UILabel en la memoria, puede fácilmente instalarlo de modo que cycript muestra sólo el texto de las etiquetas. Afortunadamente, debido a la naturaleza de la escritura y de cycript, podemos hacer esto en una sola línea.


[choose(UILabel)[i].text for(i in choose(UILabel))]


for(i in choose(UILabel)) if (choose(UILabel)[i].text == "No Notifications") nnLabel = choose(UILabel)[i];


En el fragmento anterior, hemos guardado el UILabel que es texto coincidente " No Notifications " como nnLabel. Ahora podemos interactuar con la etiqueta tanto como nosotros queremos, e incluso llamar a todos los métodos habituales se pueden usar en un UILabel.


Por desgracia, este pequeño cambio de piratería de memoria no es permanente, cerrar y volver a abrir el centro de notificación provocará código original de Apple para volver a ejecutar y arruinar todo nuestro duro trabajo. Hacer lo permanente el trabajo será el tema que pueden aprender durante de formación de hacking ético, que describe cómo se puede enganchar en el código de Apple mediante programación para cambiar lo que realmente se ejecute, en lugar de cambios temporales.


Noticias de seguridad informática

LizardStresser: Six people arrested in connection with Lizard Squad’s DDoS attack tool

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/31/lizardstresser-six-people-arrested-in-connection-with-lizard-squads-ddos-attack-tool/
TAGS: DDoS, Lizard Squad, Xbox

British police have today announced the arrest of six people in connection with distributed denial-of-service (DDoS) attacks that attempted to bring down websites belonging to – amongst others – a national newspaper, a school and a number of online retailers.


The link between the attacks is that they all appear to have been conducted using the LizardStresser tool, a DDoS-on-demand service offered by the Lizard Squad hacking gang who managed to take down the XBox Live and PlayStation networks last Christmas.


Last month, Lizard Squad’s self-proclaimed “untouchable hacker god” Julius Kivimäki was given atwo-year suspended prison sentence after being found guilty of a staggering 50,700 computer crimes.


Julius


Readers of We Live Security will remember that in January, Lizard Squad was itself – in a moment of supreme irony – hacked and details of people who had signed-up for the gang’s LizardStresser service passed to the authorities.


Yes, you’ve guessed it. Lizard Squad failed to encrypt its database of registered users – instead storing usernames and passwords in plaintext.


Somehow that doesn’t sound like the work of a true “hacker god”, but never mind.


The news today is that some of the people suspected of deploying LizardStresser maliciously, swamping websites with unwanted traffic without the permission of the site owners, having purchased access to the tool through digital currency services such as Bitcoin, have been arrested as part of “Operation Vivarium”.


Those helping the police with their enquiries include:



  • A 17 year-old male from Manchester had computer equipment seized and was interviewed under caution by the NCA’s National Cyber Crime Unit (NCCU) on 27 August.

  • A 18 year-old-male from Huddersfield arrested and bailed on 27 August by Yorkshire and Humberside police.

  • A 18 year-old-male from Milton Keynes interviewed under caution by the South East ROCU (Regional Organised Crime Unit) on 26 August.

  • A 18 year-old male from Manchester arrested and bailed by North West ROCU and Greater Manchester Police on 26 August.

  • A 16 year-old male from Northampton arrested and bailed by East Midlands ROCU on 26 August.

  • A 15 year-old male from Stockport arrested by the North West ROCU and Greater Manchester Police on 24 August.

Two other suspected users of Lizard Stresser were arrested earlier this year:



  • A 17 year-old male from Cardiff arrested and bailed by South Wales ROCU and NCCU on 16 April.

  • A 17 year-old male from Northolt arrested and bailed by the Metropolitan Police on 03 March.

What I think is most notable about these details is that it is teenagers who are instigating denial-of-service attacks, attempting to bring down sites to disrupt businesses and organisations, presumably with mayhem in mind rather than money-making.


It’s also clear that LizardStresser’s users might have believed that they could do so anonymously, without risk of their identities being discovered. The hack of Lizard Squad earlier this year, and the handing over of user data to the authorities proves that that belief was misguided.


“Acts of unlawful internet behaviour are seen by many of the average public as not being punishable or very rarely caught,” said Mark James, security specialist at ESET. “It is instances like this that should make those involved step up and understand it is a crime to participate in this type of activity, and your anonymity on the web cannot be guaranteed. It’s just a matter of time and resources before you are caught.”


The National Crime Agency says that it is also visiting “approximately 50 addresses” linked to individuals who had accounts on the LizardStresser site, but are not currently thought to have actually launched attacks.


Hopefully when they get an unexpected visit from the police they will feel suitably rattled, and think very carefully before engaging in dubious activity on the internet again.


Source:http://www.welivesecurity.com/


Information Security Newspaper

Netflix: Hackean su protección antipiratería por primera vez

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/hacking-incidentes/netflix-hackean-su-proteccion-antipirateria-por-primera-vez/
TAGS: hackers, Netflix, Piratería, seguridad informática

DRM es una protección que garantiza que los derechos de los contenidos digitales se cumple. Por primera vez, los hackershan logrado saltarse la protección antipiratería DRM de Netflix para sus contenidos 4K en streaming.


Los hackers se habrían salido finalmente con la suya. El que la sigue la consigue y no debían ser pocos los interesados en acabar con la protección antipiratería de Netflix. Así, lo habrían conseguido finalmente con un episodio de la serie Breaking Bad.


Netflix: Hackean su protección antipiratería por primera vez

Dicho capítulo de Breaking Bad habría sido obtenido de la plataforma para el visionado de series y películas online y se habría subido a un servidor de torrents para que otros usuarios puedan acceder al mismo. Más concretamente a TorrentFreak. Podría ser el primer contenido, de muchos, en obtenerse de la plataforma y subirse a la Red.


Los contenidos en UHD, Ultra Alta Definición o 4K (todo viene a ser lo mismo) no han hecho más que llegar. De hecho, la mayoría de televisores en los hogares españoles son "sólo" Full HD. Pese a esto, el sistema de protección DRM para estos contenidos ya han conseguido saltárselo.


No se sabe todavía muy bien cómo han conseguido en esta ocasión los piratas salirse con la suya. A priori, la protección HDCP (High-Bandwidth Digital Copy Protection) en su versión 2.2 se consideraba imposible de piratear, pero finalmente no ha resultado ser tal. HDCP lo que hace es verificar que el usuario tiene una sesión iniciada en Netflix (por supuesto con una cuenta válida y de pago) para servir el contenido.


"La piratería es un problema global. Nosotros, al igual que otros proveedores de contenido,estamos trabajando activamente en formas de proteger el contenido ofrecido en nuestro sitio", ha sido la respuesta que Netflix ha enviado en un comunicado a TorrentFreak.


Todavía se desconoce también si los piratas habrían conseguido eliminar la marca de aguaque generalmente incluyen los contenidos protegidos mediante DRM y que permite identificar al usuario que trata de saltarse la protección, delatándole.


Fuente:http://computerhoy.com/


Noticias de seguridad informática

Friday, 28 August 2015

Vulnerabilidad Ins0mnia ocultaba Apps maliciosas

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/vulnerabilidades/vulnerabilidad-ins0mnia-ocultaba-apps-maliciosas/
TAGS: Ins0mnia, iOS

La actualización de seguridad de Apple del 13 de agosto incluye la corrección  para una vulnerabilidad de iOS que podría extraer datos de ubicación y otra información personal de un dispositivo, incluso si una tarea en particular ha sido desactivada por el usuario.


Una aplicación móvil que explote esta vulnerabilidad también podrá parecer lo suficientemente benigna para burlar las protecciones de seguridad de Apple que custodian la App Store de aplicaciones maliciosas.


Vulnerabilidad Ins0mnia ocultaba Apps maliciosas

Los investigadores de FireEye publicaron hoy un informe sobre la vulnerabilidad a la que llamaron Ins0mnia. La falla no pasa por las restricciones impuestas por Apple en iOS que limitan el tiempo que una aplicación se ejecuta en segundo plano antes de suspenderse automáticamente. La restricción impide el espionaje, dijo FireEye en su informe. Los usuarios pueden aprovechar el administrador de tareas de iOS para cerrar aplicaciones de fondo si así lo desean.


La capacidad de Ins0mnia para eludir estas limitaciones no sólo puso la privacidad del usuario en riesgo sino que también podría afectar el rendimiento del dispositivo.


"Una aplicación maliciosa podría aprovechar la vulnerabilidad Ins0mnia para ejecutarse en segundo plano y robar información confidencial por un tiempo ilimitado sin el consentimiento o conocimiento del usuario", escribieron los investigadores de FireEye Alessandro Reina, Mattia Pagnozzi y Stefano Bianchi Mazzone. "Esta información sensible puede ser enviada a un servidor remoto."


Los investigadores dijeron que la táctica de Ins0mnia es engañar el dispositivo de Apple para hacerlo creer que la aplicación se está depurando, evitando que las restricciones de segundo plano la terminen.



Fuente:http://www.seguridad.unam.mx/


Noticias de seguridad informática

Former Intern at Security Firm Admits to Creating and Selling Dendroid Malware

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/28/former-intern-at-security-firm-admits-to-creating-and-selling-dendroid-malware/
TAGS: morgan culbertson

The former FireEye intern that was arrested during the Darkode forum FBI crackdown has pleaded guilty and is now facing up to 10 years in prison and a fine of $250,000 / €217,000.


Morgan Culbertson, a student at Carnegie Mellon University, had landed between May 2014 and August 2014 an internship at FireEye, a famous US-based security firm.


Former Intern at Security Firm Admits to Creating and Selling Dendroid Malware

What was unknown to his employers was that Mr. Culbertson had a secret project: the Dendroid malware.



Culbertson created the Dendroid Android malware


This malware string was capable of remotely accessing and controlling Android smartphones, allowing hackers to take over the device and make calls, intercept messages, steal photos, and even start and close applications.


According to Lookout, "Dendroid features some relatively simple  - yet unusual - anti-emulation detection code that helps it evade detection by Bouncer, Google's anti-malware screening system for the Play Store," allowing attackers to easily bundle it with safe-looking apps without being detected.


What was even worse was that Mr. Culbertson had registered on the infamous Darkode hacking forum, a meeting place on the Dark Web where hackers would exchange or buy malicious software.



Dendroid cost only $350


Using the usernames "android" and "soccer," Culbertson was selling Dendroid for $350 / €311. Additionally, for $65,000 / €57,800, he would have been willing to deliver the malware's source code.


His business endeavor was stopped short this last July, when in a joint operation that included law enforcement agencies from 20 countries, the FBI took down the Darkdode forum, arresting several of its users.


To this point, it is unknown how many Dendroid instances Mr. Culbertson has sold, or how many phones have been infected.


Mr. Culbertson is one of the first hackers convicted from that raid, and his sentencing is scheduled for December 2.


Judging that he has no criminal record, has confessed to his crime, and expressed regret, we should expect a short prison sentence.


Source:http://news.softpedia.com/


Information Security Newspaper

How a crook could have taken over your Facebook pages

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/28/how-a-crook-could-have-taken-over-your-facebook-pages/
TAGS: facebook

It's the third bug of the year for Facebook bounty hunter Laxman Muthiyah.


At the start of 2015 he noticed that if you could view a photo album on Facebook, you could probably delete it as well, with or without permission.


Simply put, as long as you were authenticated by Facebook to delete somephotos, you could in theory delete any photos, as long those photos were already public.



Photo Sync problems


His next bounty-bagging bug involved Facebook's Photo Sync feature, which automatically uploads photos from your phone to Facebook's cloud as a kind of instant backup.


In theory, those autouploaded photos were private by default, and were only supposed to be accessible via your Facebook account.


How a crook could have taken over your Facebook pages

But Laxman found that any other app on your phone that was authorised to read photos stored locally could also read your Photo Sync from the cloud – even if those photos had originally been taken on another device.


So, screenshots taken on your work iPad (screenshots count as photos) could unexpectedly and incorrectly turn up in, say, the screen saver gallery on your personal iPhone.



Page control


Laxman's latest bug could have cost you control over your personal Facebook pages.


Here's why.


Third-party Facebook apps can do things like posting status updates, so a malicious or ill-behaved Facebook app can certainly get you into trouble.


However, an app isn't supposed to be able to get you into permanent trouble by taking over as an administrator of your pages and locking you out.


In theory, then, even if an app goes rogue, you can always wrest control back from it and reverse the unwanted changes.


Except for so-called "business pages" – Facebook pages that aren't specific to an individual account, but instead represent a business and are typically managed by a number of people.


Third-party apps can request a special access permission calledmanage_pages for business content, so you can assign different administration roles to different people in the organisation.


Clearly, you want to be very conservative about which apps you allow tomanage_pages...


...but you aren't supposed to worry about your personal pages, because they aren't, in theory, covered by this privilege.


In other words, even rogue manage_pages apps shouldn't be able to do anything permanent to your personal pages.



Page administration


Laxman found that a manage_pages request to make user X into aMANAGER (administrator) of page PGID belonging to business B looked something like this:




 POST /PGID/userpermissions HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
role=MANAGER&user=X&business=B&access_token=AAAA...


If a rogue app were to replay the same request with PGID set to one of your personal pages, and X set to the rogue apps's developer, the request would fail, because userpermissions requests aren't supposed to work against personal pages.


You have to use the official Facebook interface to make such changes.


But Laxman claims that by the absurdly simple expedient of leaving out the&business=B parameter above, and changing the PGID, he could trick Facebook into accepting the request, and thereby give X administrator rights over one of your personal pages.


Once X is an administrator of your pages, he can then lock you out of them and thus effectively take them over.


That's not supposed to be possible.



What happened next?


This is not an earth-shattering bug, because you'd have to trust an app enough to give it manage_pages rights up front.


But it's a security bypass bug nevertheless, and a reminder that it's often very hard to try every possible combination of potentially risky inputs during testing.


Which is one reason why companies like Facebook run bug bounty programs.


Laxman received $2500; Facebook closed the hole quickly, before anyone else found it and used it to do harm.


Source:https://nakedsecurity.sophos.com


Information Security Newspaper

Una vulnerabilidad en PayPal permite robar el dinero de las cuentas

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/vulnerabilidades/una-vulnerabilidad-en-paypal-permite-robar-el-dinero-de-las-cuentas/
TAGS: PayPal, XSS

Un fallo de seguridad en un servicio de estas características implica un peligro importante, sobre todo si tenemos en cuenta los datos que se manejan. Expertos en seguridad han detectado una vulnerabilidad que afecta al servicio PayPal y que deja expuestos los datos de la cuenta a ciberdelincuentes.


Además de dejar al descubierto las credenciales de acceso a la cuenta del servicio, los ciberdelincuentes podrían hacerse de forma sencilla con los datos pertenecientes a las tarjetas de crédito utilizados en la cuenta, ya que estos se encuentran en texto plano.


Se trata de una vulnerabilidad XSS en toda regla que ha sido descubierta esta misma semana por el investigador egipcio Ebrahim Hegazy y reportada a los responsables del servicio.


Sin lugar a dudas, PayPal resulta de mucha utilidad para todos aquellos usuarios que no quieran utilizar directamente sus datos para realizar el pago en tiendas en línea, evitando posibles robos de información, sin embargo, de nada sirve este tipo de precauciones si el peligro se encuentra en el propio servicio.



¿Cómo se puede explotar esta vulnerabilidad?


El investigador ha detallado en su blog el proceso completo para realizar el robo de los datos que hemos mencionado con anterioridad.


Para llevar a cabo este proceso, en primer lugar se debe crear una tienda en línea falsa o hackear alguna ya existente, modificando el botón encargado de conducir al usuario a la página propia para realizar el pago.


Una vez conseguido esto, el usuario será conducido a una nueva página propiedad de los ciberdelincuentes que continuará protegida bajo SSL. Sin embargo, esta es totalmente falsa y servirá para llevar a cabo el robo de los datos que el usuario introducirá en el formulario existente.


Cuando el usuario pulse en realizar el pago, este habrá abonado la cantidad a los ciberdelincuentes y es probable que haya suministrado más datos de los necesarios, llendo a parar a los servidores de los ciberdelincuentes.




Fuente:http://www.redeszone.net/
Noticias de seguridad informática

Huddersfield teen among six arrested over cyber attack by notorious hacking group

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2015/08/28/huddersfield-teen-among-six-arrested-over-cyber-attack-by-notorious-hacking-group/
TAGS: DDoS, Xbox

Six teenagers, including an 18-year-old from West Yorkshire, have been arrested on suspicion of launching cyber attacks using a service created by a notorious hacking group which previously targeted Xbox and PlayStation networks.


The male suspects, who are aged between 15 and 18, were held during an operation targeting alleged users of a tool known as Lizard Stresser.


It works by launching distributed denial of service (DDoS) attacks, in which web servers or websites are flooded with massive amounts of data, leaving them inaccessible to visitors.


Lizard Stresser is seen as a “DDos for hire” facility which gained notoriety among the hacking community after the group known as Lizard Squad claimed to have knocked Sony PlayStation and Xbox gaming services offline last Christmas.





[caption id="attachment_87" align="aligncenter" width="620"]Six teenagers, including one from Huddersfield, have been arrested over a suspected cyber attack Six teenagers, including one from Huddersfield, have been arrested over a suspected cyber attack[/caption]


None of those arrested in the latest police activity are accused of involvement in those incidents, nor are they believed to be members of Lizard Squad.


The National Crime Agency (NCA) said they are suspected of maliciously deploying Lizard Stresser having bought it using alternative payment services such as Bitcoin in an attempt to remain anonymous.


Organisations believed to have been targeted by the suspects include a national newspaper, a school, gaming companies and a number of online retailers. They have not been named and it has not been confirmed whether the attempted DDoS attacks were successful.


Tony Adams, senior Operations Manager at the NCA’s National Cyber Crime Unit, said: “By paying a comparatively small fee, tools like Lizard Stresser can cripple businesses financially and deprive people of access to important information and public services.


“This multi-agency operation illustrates the commitment of the NCA and its partners to pursuing people who think they can criminally disrupt important public services or legitimate businesses.”


The arrests were made as part of an operation codenamed Vivarium co-ordinated by the NCA and involving officers from several police forces.


A number of warrants were executed this week. Those arrested were: an 18-year-old from Huddersfield, West Yorkshire; an 18-year-old from Manchester; a 16-year-old from Northampton; and a 15-year-old from Stockport.


Two other suspects, both 17, were arrested earlier this year. One is from Cardiff while the other is from Northolt, north-west London.


All six have been bailed, while a further two 18-year-olds - one from Manchester and one from Milton Keynes - were interviewed under caution.


As part of the same operation officers are visiting around 50 addresses linked to individuals who are registered on the Lizard Stresser website but who are not suspected of involvement in attacks.


The NCA said they will be warned DDoS attacks are illegal, can cause financial damage and lead to “severe restrictions on their freedom”.


Mr Adams added: “One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cyber crime and how they can channel their abilities into productive and lucrative legitimate careers.”


Source:http://www.yorkshirepost.co.uk/


Information Security Newspaper

Ashley Madison, la web para infieles hackeada, llena de perfiles de mujeres falsos

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/importantes/ashley-madison-la-web-para-infieles-hackeada-llena-de-perfiles-de-mujeres-falsos/
TAGS: Ashley Madison

¿Alguna vez has ido a una discoteca en la que cobraban a los hombres para entrar y a las mujeres no? Pues en la web para aventuras extramaritales Ashley Madison pasaba eso, las féminas no pagaban por registrarse. A pesar de ese incentivo, Ashley Madison, la web para infieles hackeada, parece estar llena de perfiles de mujeres falsos. Al final, parece que los usuarios querían engañar a sus esposas... y eran ellos los engañados por el servicio de encuentros.


Hace poco te contamos cómo un grupo de hackers había hecho públicos los datos de los miembros de Ashley Madison causando problemas muy graves. Está página tiene como objetivo poner en contacto a personas casadas para que vivan una aventura extraconyugal, y se suponía que la discreción se trataba de su seña de identidad. Tras la filtración, los escándalos han sido innumerables, y se cree que algunos suicidios han tenido su origen en la revelación de estos secretos.


Few women



Pocas mujeres, y casi ninguna real


Parece que Ahsley Madison confirma que los hombres son más infieles que las mujeres, al menos en Internet. A pesar de que para ellas el registro no tenía coste, existían sólo 5,5 millones de cuentas femeninas frente a 32 millones de cuentas masculinas. Y lo peor es que hay indicios de que muchos perfiles de mujeres eran falsos: algunos estaban asociados a correos de la propia empresa, otros a direcciones de ordenadores sospechosos, y un par de antiguos empleados han confirmado que la empresa les pedía abrir cuentas falsas de mujeres.


Lo más grave es que otros detalles confirman las sospechas: mientras que los hombres eran activos en Ashley Madison, la mayoría de las mujeres no participaba nunca más allá del registro. Aunque las condiciones legales del servicio indican que no se puede asegurar la autenticidad de los perfiles, en este caso todo apunta a un fraude masivo.


Así que Ashley Madison, la web para infieles hackeada, está llena de perfiles de mujeres falsos. A pesar de que la empresa ofrece 500.000 dolares por la captura de los responsables de ataque, lo cierto es que la compañía parece destinada a desparecer tras la pérdida de confianza de sus miembros y los innumerables problemas legales que le esperan en los próximos meses.


Fuente:http://www.elgrupoinformatico.com/


Noticias de seguridad informática

Zero-Day, Angler kit exploits help drive up malvertising by 325%

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/securitynewspaper/2015/08/28/zero-day-angler-kit-exploits-help-drive-up-malvertising-by-325/
TAGS: Angler kit exploits, Cryptowall

A massive uptick in malvertising has taken place over the last few years and is becoming so popular that it may become the top technique used for drive by attacks, according to Cyphort Labs' The Rise of Malvertising report.


The 325% spike can be attributed to a combination of more zero-day exploits and new technology making malvertising more effective, Nick Bilogorskiy, Cyphort's director of security research, told SCMagazine.com in an email correspondence Tuesday.


“The increase is likely driven by recent proliferation of new zero-day exploits, which increased the efficiency of malvertising and made that technique more appealing for attackers,” he said adding, “We see groups behind exploit kits like Angler constantly update and mutate their kits adding new techniques to avoid detection.”


A Cyphort Labs study on malvertising indicates a massive uptick with this form of attack has taken place over the last few years driven by the proliferation of zero-day and Angler kit exploits.

Cyphort compiled the results from an analysis 100,000 popular websites each month and discovered between 100 and 400 malvertising-related incidents monthly.


The Association of National Advertisers has estimated that the total dollar damage from ad fraud caused by malvertising could top $6.3 billion in 2015, but the Cyphort report did not put an exact monetary figure on losses suffered by consumers. Still, Bilogorskiy said it is likely huge.


“The damage to the consumer could be massive, as their machine will get infected by malware, which could extort a ransom payment (Cryptowall) or steal their credit/card banking information. The dollar cost of the infection per consumer is the same as in other attacks, but the total number of consumers impacted is very large,” he said.


The report noted that the biggest malvertising issue it found was the Huffington Post in January 2015 when Cyphort Labs detected a compromise of the AOL Ad Network, that Cyphort Labs said was conducted by the Kovter gang.


The company predicted the success enjoyed by cybercriminals using malvertising will lead to more attacks in the future.


“Malvertising is likely to become the most favorable vector for cyber criminals to conduct sophisticated drive-by attacks on Internet users with some degree of selective targeting. For example, they can choose hosting sites to target victims by industries and interest groups; they can further select individuals by geo locations and client machine types,” the report stated.


Source:http://www.scmagazine.com/


Information Security Newspaper

Thursday, 27 August 2015

Una vulnerabilidad ha sido corregida en Ubuntu

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/seguridad-informatica/una-vulnerabilidad-ha-sido-corregida-en-ubuntu/
TAGS: GDK-pixbuf, Ubuntu

La informática es algo creado por humanos, y al igual que estos, no es perfecta. Aunque los usuarios de GNU/Linux repetimos mucho lo de “Linux es más seguro que Windows”, esto no quiere decir que el sistema que usamos habitualmente no tenga vulnerabilidades.


El día de ayer fue publicado un aviso de seguridad de Ubuntu, en el cual se informaba sobre un fallo de seguridad de cierta gravedad encontrado en el paquete GDK-PixBuf. El aviso da la siguiente descripción sobre cómo podía ser explotado el bug.


Gustavo Grieco descubrió que GDK-PixBuf manejaba incorrectamente el escalado de las imágenes de mapas de bits. Si un usuario o un sistema automatizado fuese engañado a la hora de abrir un fichero de imagen BMP, un atacante podría aprovechar este fallo de forma remota para hacer que GDK-PixBuf se bloqueara, teniendo como resultado una denegación de servicio, o posiblemente la ejecución código arbitrario.


Por suerte el error ya ha sido corregido, y después de actualizar tendrían que aparecer los siguientes paquetes:



  • Ubuntu 15.04:
    • Paquete: libgdk-pixbuf2.0-0

    • Versión: 2.31.3-1ubuntu0.1


  • Ubuntu 14.04 LTS:
    • Paquete: libgdk-pixbuf2.0-0

    • Versión: 2.30.7-0ubuntu1.1


  • Ubuntu 12.04 LTS:
    • Paquete: libgdk-pixbuf2.0-0

    • Versión: 2.26.1-1ubuntu1.2


En caso de no tener el paquete en su versión correcta, una actualización estándar tendría que instalarlo. De hecho en mi Kubuntu 14.04 está instalado y yo no he hecho nada especial, salvo actualizar esta mañana. Y por lo que cuentan en Softpedia, hay otras dos distribuciones afectadas, entre las que se encuentra Debian.


Una vulnerabilidad ha sido corregida en Ubuntu

A pesar de que GNU/Linux no esté tan acosado por el malware como Windows o Android, esto no quiere decir no pueda haber decenas de vulnerabilidades listas para ser explotadas.


Fuente:http://www.muylinux.com/


Noticias de seguridad informática

BitTorrent kills bug that turns networks into a website-slaying weapon

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/securitynewspaper/2015/08/28/bittorrent-kills-bug-that-turns-networks-into-a-website-slaying-weapon/
TAGS: BitTorrent, uTorrent

Reflective technique would let attacker amplify traffic and flood targets.


BitTorrent has fixed a flaw in its technology that quietly turns file-sharing networks into weapons capable of blasting websites and other internet servers offline.


The San Francisco company said Thursday the patch for its libuTP software will stop miscreants from abusing the peer-to-peer protocol to launch distributed reflective denial-of-service (DRDoS) attacks.


LibuTP is an essential building block for BitTorrent apps, such as Vuze, uTorrent, Transmission and the BitTorrent's own client software. These applications must be updated to include the fix, and installed by netizens to fully kill off the DRDoS vulnerability. uTorrent version 3.4.4 40911, BitTorrent version 7.9.5 40912, and BitTorrent Sync version 2.1.3, were all patched up earlier this month.


First uncovered by researcher Florian Adamsky, the vulnerability allows a single attacker to amplify a small string of data into a much larger flood of garbage network traffic that is directed toward a single target.


"Thankfully, no such attack has yet been observed in the wild, and Florian responsibly contacted us to share his findings," BitTorrent spokesman Christian Averill wrote in a blog post.


"This gave our engineering team the opportunity to mitigate the possibility of such an attack."


By utilizing a flaw in the BitTorrent protocols, an attacker can send a small amount of data across the internet to force unsuspecting BitTorrent nodes to simultaneously transmit a much larger wad of network packets to a machine of the attacker's choosing – effectively amplifying the attacker's input and outputting it all to a victim's computer.


This, if repeated enough times with enough nodes, allows the attacker to potentially bombard a targeted IP address with huge amounts of data, thus washing away any legit traffic. Effectively, the attacked server would appear to be offline.




[caption id="attachment_78" align="aligncenter" width="648"]How an attack would propagate through the BitTorrent network How an attack would propagate through the BitTorrent network[/caption]

"By spoofing the source address in a UDP packet, an attacker can trick an intermediate node into sending data to a third party," BitTorrent bod Francisco de la Cruz explained in a blog post.


"If an attacker can find a UDP protocol that sends responses larger than initial requests, it can amplify the traffic directed at a victim."


BitTorrent has tweaked its library code to address the design flaw in its protocol. Before, an attacker could start a connection with a BitTorrent node, and fake its IP address to be that of the victim. The node would acknowledge the connection to the victim, rather than the attacker. The attacker would then send a handshake message to the node. The node would try to repeatedly reply to the handshake to the hapless victim, rather than the attacker.


Now a node will generate a random acknowledgment value and send that to the victim, rather than the attacker, when the connection is initiated. The attacker can only guess what this value is, and without it, its handshake message to the node will be ignored. The node will refuse to reply to the handshake unless the sender knows the acknowledgment value to prove it initiated the connection.


This, in turn, will make reflecting large volumes of traffic far more difficult for an attacker, and will prevent the execution of DRDoS attacks.


BitTorrent noted that even before the vulnerability was disclosed, products such as its Sync tool were in large part safe against the attacks.


"Sync, by design, limits the amount of peers in a share, making the attack surface much smaller," added Averill. "It would not serve as an effective source to mount large-scale attacks."


Source:http://www.theregister.co.uk/


Information Security Newspaper

Kit de exploits Sundown el primero en utilizar falla de Internet Explorer

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/importantes/kit-de-exploits-sundown-el-primero-en-utilizar-falla-de-internet-explorer/
TAGS: Internet Explorer, Kit de exploits Sundown

Symantec ha descubierto que el kit de exploits (EK) Sundown toma ventaja de la reciente vulnerabilidad CVE-2.015-2444 de Internet Explorer. Sundown fue utilizado en un reciente ataque watering-hole a Japón.


El exploit para CVE-2015-2444 fue lanzado públicamente por primera vez el 12 de agosto. Microsoft corrigió este error en una actualización de seguridad.


Symantec observó a los atacantes utilizar Sundown para explotar este error en ataques y colocar una puerta trasera a troyanos que afectan principalmente a usuarios japoneses. Los atacantes inyectaron un inframe en un sitio web válido, redirigiendo a los usuarios a una página de destino altamente confusa que contenía el kit de exploits Sundown.


Kit de exploits Sundown el primero en utilizar falla de Internet Explorer

Cuando los usuarios llegaban a la página, el kit de exploits buscaba en la computadora archivos de controladores relacionados con software de seguridad, ambientes de aplicaciones controladas y herramientas de captura de tráfico. El EK no actuaba si cualquiera de los programas anteriores estaba presente, para evitar su detección.


El kit exploits intenta explotar vulnerabilidades en distintos software después de comprobar que las condiciones son aceptables. Si el kit fue exitoso, se despliega Trojan.Nancrat en el equipo de la víctima. La amenaza actúa como una puerta trasera y roba información del equipo comprometido.


Fuente:http://www.seguridad.unam.mx/


Noticias de seguridad informática

Test Post from Noticias de seguridad informática

Test Post from Noticias de seguridad informática http://noticiasseguridad.com

Roban 220.000 cuentas de iCloud debido al Jailbreak

SOURCE: Noticias de seguridad informática http://noticiasseguridad.com/hacking-incidentes/roban-220-000-cuentas-de-icloud-debido-al-jailbreak/
TAGS: iCloud, jailbreak

Por todos es sabido los riesgos que conlleva tener Jailbreak en nuestro dispositivo. Para quien no sepa de que hablamos, el Jailbreak es una especie de "pirateo" que podemos hacer en nuestros dispositivos iOS y que nos sirve para tener acceso a modificar el sistema operativo a nuestro gusto y añadir funciones que no tenemos de serie.

Pero no todo es tan bueno como parece, todo en este vida tiene pros y contras y el Jailbreak no va a ser una excepción. La mayoría de problemas de seguridad que sufren los dispositivos Apple vienen dados por esto y en ocasiones estos problemas son graves como ahora ha ocurrido.


Roban 220.000 cuentas de iCloud debido al Jailbreak

220.000 robos de cuentas y contraseñas


Se han robado más de 220.000 cuentas de iCloud con los respectivos correos y contraseñas de cada una de ellas. Muchísima gente hace el Jailbreak a sus dispositivos conque si tú eres uno de ellos te recomendamos rápidamente que cambies tu contraseña por si eres uno de los muchos afectados.

Se dice que las personas que tienen más probabilidad de estar infectadas son las que han instalado Tweaks (aplicaciones para hacer funciones que iOS de serie no puede hacer) de repositorios no oficiales. Siempre recomiendo que si hacemos el Jailbreak, instalemos Tweaks de repositorios oficiales que aunque en muchas ocasiones sean de pago, al finalpodemos evitarnos disgustos de este tipo.

Soy de los que son partidarios de no hacer Jailbreak en nuestros dispositivos en la actualidad y os lo dice una persona que hasta iOS 6, lo hacía constantemente. Pero Apple desde iOS 7 ha ido mejorando mucho su sistema, introduciendo nuevas funciones y haciendo cada vez este pirateo menos útil. Si queréis seguir teniendo Jailbreak, volvemos a insistir: instalad Tweaks de repositorios oficiales y cambiar vuestra contraseña por si sois de los afectados.


Fuente:http://www.gadgetos.com/


Noticias de seguridad informática

AutoIt Used in Targeted Attacks to Move RATs

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/securitynewspaper/2015/08/27/autoit-used-in-targeted-attacks-to-move-rats/
TAGS: Dridex, malware, RAT

Hackers, months ago, revived macros as an attack vector to primarily hide banking malware spread by spam campaigns.


Not be left out, some targeted attacks kicked off by convincing phishing emails, have been moving a few remote access Trojans and other malware via Word docs. One particular targeted campaign, researchers at Cisco said, was using AutoIt to drop malware on compromised machines. AutoIt is freeware that allows Windows administrators to write scripts that automate tasks.





The use of macros by hackers is mitigated by the fact they’ve been disabled by default since the release of Office 2007. But Cisco researchers said the language and spoofed senders in the phishing emails accompanying the targeted attacks could be enough to convince a potential victim to enable macros and execute the attack.

“In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” said Cisco Talos threat researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.”

AutoIt Used in Targeted Attacks to Move RATs

The use of AutoIt is not only unique, but effective in allowing the attackers to evade detection. AutoIt is a legitimate IT administration tool and could be whitelisted in many enterprises. In the case of this particular campaign, the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim executes the attack, it reaches out to hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary. The payloads change regularly Cisco said. AutoIt was one such payload, downloaded in a self-extracting archive. In addition to AutoIt, a 600MB AutoIt script was downloaded from the archive that included antianalysis checks, payload decryption, malware installation and persistence mechanisms. The script also installed either the Cybergate RAT, NanoCore RAT, or the Parite worm.

The RATs were used against a small number of organizations, Chiu said. The large AutoIt script would likely evade antivirus or intrusion detection systems that have file-size limits. Chiu said too that it looks for a particular antivirus installation and if detected, it sleeps for a defined period of time before executing. Once it does execute, it tries to disable Windows User Access Control (UAC) in order to establish persistence on the machine and continue decrypting its payload.

“Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noice because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments.

As for the RATs, NanoCore was spotted in attacks against energy companies in Asia and the Middle East before earlier this year, source code for the RAT and its premium plugins was leaked online making it widely accessible. Cybergate, meanwhile, has been available for years online and is considered easy to setup and use.

In January, Microsoft warned companies of a spike in macro-enabled malware. It said in December attacks peaked at fewer than 8,000 a day for a short time. Like the current campaign spotted by Cisco, victims were enticed to enable macros and were ultimately infected by either the Ardnel or Tarbir downloader that grabbed any variety of malware from there.


 Source:https://threatpost.com

Information Security Newspaper

Dolphin and Mercury Android browsers have major vulnerabilities

SOURCE: Information Security Newspaper http://www.securitynewspaper.com/securitynewspaper/2015/08/27/dolphin-and-mercury-android-browsers-have-major-vulnerabilities/
TAGS: Dolphin

Major vulnerabilities have been detected in Dolphin and Mercury Android browsers that could have provided cybercriminals with the opportunity to launch zero-day attacks.


This is considered to be a notable discovery. With both browsers growing in popularity – it is estimated that over 100 million downloads have been made between the two browsers – the fallout of a potential attack could be huge.


The flaws were uncovered by Benjamin Watson, a mobile security researcher who blogs under the pseudonym of rotlogix.


With regards to Dolphin, the expert wrote that the vulnerability makes it possible for attackers to perform remote code execution.


“An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser,” he explained.


“Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”


As for Mercury, Mr Watson said that the defect evident in this browser could allow a cybercriminal to remotely perform arbitrary reading and writing of files within its data directory.


Dolphin and Mercury Android browsers have major vulnerabilities


This is made possible through a weakness in the implementation of the Intent URI scheme – because of this, an attacker can “invoke private activities through a crafted HTML page”.


Also observed in Mercury was a path traversal vulnerability. This was found within a custom web server used to support the browser’s Wi-Fi transfer feature. The anomaly meant that he could read data within its data directory.


“This was a great find in the sense that it meant I could essentially download and exfiltrate files being stored by the browser’s data directory,” Mr Watson discussed.


“It did not take me long as well to validate that I could write and overwrite files within the browser’s directory using the upload functionality and path traversal vulnerability.”


The security professional has recommended that users of Dolphin and Mercury immediately cease using the browser while patches are made. Both have been made aware of the vulnerabilities.


Source:http://www.welivesecurity.com/


Information Security Newspaper