Cloud hosting company Linode has suffered a series of service interruptions due to distributed denial-of-service (DDoS) attacks launched against its infrastructure over the past few days.
The campaign started on December 26 when the company reported that DDoS attacks had disrupted the Linode Manager and its website. On the same day, the attackers also targeted Linode’s DNS infrastructure, and the company’s data centers in Dallas, Atlanta, London and Newark.
It took roughly 2-3 hours for Linode’s systems and network engineering teams and the company’s upstream providers to mitigate the attacks.
On December 27, DDoS attacks were reported at the data centers in Atlanta, Newark, and London. Linode’s service status page shows that it took the company nearly four hours to mitigate the attack against the London datacenter, while network connectivity was restored in one hour, respectively two hours, in Atlanta and Newark.
The attacks against various components of Linode’s infrastructure continued on Monday and Tuesday.
In the early hours of Wednesday, shortly after announcing that a DDoS attack affecting Linode’s website had been mitigated, the company reported seeing continued attacks disrupting access to its web services.
The latest update indicates that the Dallas data center was again targeted recently, causing packet loss.
Kaspersky Lab reported in November that in the third quarter of 2015, Linux-based botnets accounted for nearly half of the total number of DDoS attacks. The most notable was the XOR botnet, which malicious actors leveraged to launch attacks that peaked at more than 150 Gbps.
A Kaspersky report released in December showed that almost half of the organizations hit by DDoS attacks actually claimed to know the identity of the attackers. The study is based on information from more than 5,500 companies across 26 countries.
The US Department of Corrections discovered a long-standing software bug that resulted in the early release of prisoners.
This news is disconcerting and demonstrates the importance to carefiìully consider the technology in our lives. The Washington State Department of Corrections (DoC) launched an investigation after it early released 3,200 prisoners over the course of 13 years.
It seems that a software bug present in the systems of the Department since 2002, caused errors in the calculation of time credits for the good behavior of individuals while imprisoned.
The bugs led errors in the calculation of sentence reductions for the US prisoners that had a good behavior, the experts estimated that in a 13-year period, the average number of days of those released early from prison was 49 days before the correct release date.
“This problem was allowed to continue for 13 years is deeply disappointing to me, totally unacceptable and, frankly, maddening,” is thecomment of the Washington State Governor Jay Inslee. “I’ve [many] questions about how and why this happened, and I understand that members of the public will have those same queries.”
Gov. Jay Inslee today already ordered the Washington Department of Corrections to take the necessary actions to discover the bug that allowed criminals to leave the jail early.
The software bug was introduced in 2002, in that year the state’s supreme court introduced a change in the calculation of the “good time” credit system for all the prisoners in State Prisons and County jails,
Criteria for evaluating the good behavior of prisoners were introduced to allow guests of state prisons to reduce the period to be served.
The DoCs released a new version of software that implemented the new rules, but it introduced also a bug, but it is important to highlight that the Department of Corrections (DoC) has been informed of the software bug at least 3 years ago. In December, 2012 in fact, the familiars of an assault victim reported the issue to the Department of Corrections.
The US Department of Corrections accepted the claim and filed a request, ranking the error as “time sensitive.” This means that the US Department urged a solution as soon as possible, but something went wrong.
“Between December 2012 and this month, the software fix “was repeatedly delayed,” according to a DOC timeline of events. The delays occurred despite the fact a DOC worker who filed the service request labeled the fix as time sensitive and “ASAP.” Reported the SeattleTimes. “Typically, IT fixes are put into a queue according to priority, said Brown. But, “What we know, I think, at a bare minimum, is the proper prioritization did not occur,” he said.”
Three years to fix a time sensitive bug that could have effects on people security. Simply absurd!
Now something seems to be changing, Inslee assured that the software bug will be fixed within the January 7th.
Waiting for the fix, the US DOC has requested double checks before releasing any prisoner.
“The governor ordered DOC to halt all releases of impacted offenders from prison until a hand calculation is done to ensure the offender is being released on the correct date. A broader software fix is expected to be in place by Jan. 7, 2016.” continues the official statement.
“In addition, DOC is working swiftly to locate offenders who were released from prison prior to their actual earned release date and ensure they fulfill their sentences as required by law. In accordance with Supreme Court precedent, most of the offenders who were released early will be given with day for day credit for their time in the community. Depending on how much time they have left to serve, the offenders will go to work release or back to prison.”
University of Connecticut loses control of its DNS entries.The official Web portal of the University of Connecticut was compromised on Sunday and used to spread malware to all visitors, masqueraded as a fake Adobe Flash Player update, The Daily Campus reports.
According to UConn deputy spokesman Tom Breen, on Sunday, the third day of Christmas, December 27, at around 11:00 AM, the nonprofit organization Educause, who manages UConn’s website, lost control of the site’s DNS entries.
UConn was the victim of a simple DNS hijacking attack
DNS entries are simple “domain name – IP address” pairs that tell Internet browsing software from where to download the content of a desired website.
Attackers managed to hijack the university’s DNS listing and point all users accessing the uconn.edu URL to the wrong server, one controlled by the attackers.
Here, a blank page would be served to all users, and immediately as the site loaded, a popup would appear asking users to download a newer version of the Adobe Flash Player to be able to continue.
Users that clicked OK in the popup would download a file named adobe_flashplayer_18.exe, containing malware.
Officials resolved the issue by the second day
University staff were quickly alerted and managed to regain access to their DNS records. Their efforts were delayed because the MX records that were responsible for all @uconn.edu email addresses were also corrupted, which made it hard to contact the ISP with an email coming from an official address.
All things returned to normal by the second day, when most DNS servers phased out the malicious uconn.edu DNS entry, which remained stored in their cached entries for a few more hours.
DNS hijackings are common, and in the past, many high-profile companies have fallen victims to such attacks. One of the biggest such incidents this year was when domain registrar eNom lost control of four of its DNS servers. The attack was short-lived but affected a large number of clients.
So many stores, service stations, coffee shops, pubs and so on offer free Wi-Fi that you probably have countless networks saved on your phone or laptop. Having a password saved on your computer is great, but how can you get the password so you can use it on your phone as well?
Rather than trying to hunt down a member of staff to ask, or hunting high and low for that tiny sign that shares the password, you can instead view the wireless passwords you have saved. Read on to find out how to retrieve these passwords in both Windows 10 and Android.
If you already have the password for a wireless network saved on your laptop and want to retrieve it to use on your phone — or share with someone else — things are quite simple. The same method works in Windows 7, Windows 8.x, and Windows 10, but it’s important to note that you need to be connected to the network you are trying to retrieve the password for.
Press the Windows key and R, typencpa.cpl and press Enter.
Right click on the wireless network adaptor and select Status.
Click the Wireless Properties button.
In the Properties dialog that appears, move to the Security tab.
Click the Show characters check box, and the network password will be revealed.
If you want to retrieve a saved wireless network password from Android or iOS, you’ll have to have a rooted or jailbroken device — sadly, there is no standard way to pull up security credentials. It’s worth noting that there are several apps out there in Google Play that claim to reveal Wi-Fi passwords; while some of these work, there are also numerous malicious tools out there, so it’s best to use an alternative method.
If you’re using Android, install a copy of the free file browser ES File Explorer.
Navigate to the data/misc/wifi folder on your device — it will not be visible on non-rooted phones.
Open the file called wpa_supplicant.conf and you will see a list of saved Wi-Fi networks complete with their passwords.
To retrieve a Wi-Fi password on a jailbroken iPhone, you can check in the Keychain access app if you have a Mac connected to the same network, but there’s another method if you prefer to do it all from your phone.
Grab yourself a copy of WiFi Passwords from Cydia.
Fire up the app, and you’ll be presented with a list of all of the passwords your iPhone has for saved wireless networks.
Yahoo! this week announced that it will notify users when it suspects that their accounts might have been targeted by state-sponsored actors.
Bob Lord, Chief Information Security Officer at Yahoo!, announced in a blog post that the company already has a system for detecting and preventing unauthorized access to user accounts by third parties, and will now will inform users when it believes they are being targeted by attackers working on behalf of a nation-state.
Lord explained that the notifications users will receive will include information on the specific actions they can take to ensure that their Yahoo accounts are safe and secure. He also notes that users should take one of these actions as soon as they receive the notification from the company.
To keep their accounts protected, users should turn on Account Key or Two-Step Verification to approve or deny sign-in notifications, thus being able to deny access to their accounts. They should also choose a strong, unique Yahoo account password they’ve never shared or used before.
Lord also advises users to check that their account recovery information such as phone number or alternate recovery email address is up to date and that they still have access to them, while removing those they no longer have access to or don’t recognize. Users should also check their mail forwarding and reply-to settings, and should be reviewing recent activity in account settings for sessions they don’t recognize.
Users are also strongly encourage to protect themselves outside of their Yahoo account by avoiding falling for phishing attacks by not clicking on links they are not sure about and never providing account information when asked to, especially via email. Users should also have an up-to-date anti-virus software on the computer and should review the account security guidelines posted by other services they use, including social networks, financial institutions, and other email providers.
Lord reminded that although users might receive one of the notifications, it does not necessarily mean that the account has been compromised.He also notes that the warning does not mean that Yahoo’s internal systems have been compromised in any way in such attacks.
The security chief did not share details on how Yahoo! can tell if an attack is state-sponsored.
“However, rest assured we only send these notifications of suspected attacks by state-sponsored actors when we have a high degree of confidence,” he wrote.
Other Internet companies also made formal announcements regarding their position on state-sponsored attacks against user accounts. Google did so in 2012, while Facebook made theannouncement in October 2015. Last week, Twitter also informed some users on suspected state-sponsored attacks, though it did not make an official announcement on the matter.
Microsoft has taken steps to impede the next Superfish from impacting users.
Superfish was pre-installed adware found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario—especially after the password for the cert that shipped with Superfish was found—to listen in on encrypted communication.
Microsoft this week said it has updated its rules around adware, and now such programs that build ads in the browser are required to only use the browser’s “supported extensibility model for installation, execution, disabling and removal.” Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.
“The choice and control belong to the users, and we are determined to protect that,” wrote Barak Shein and Michael Johnson of Microsoft’s Malware Protection Center.
Lenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as Mozilla removed the root cert from Firefox’s trusted root store.
Superfish’s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.
“All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,” Microsoft said. “Our intent is to keep the user in control of their browsing experience and these methods reduce that control.”
En el último artículo aprendimos más acerca de Haka, un lenguaje de seguridad orientado a código abierto con ayuda de expertos de servicios de seguridad informática. http://noticiasseguridad.com/importantes/aprender-nuevo-lenguaje-de-seguridad-informatica-haka/ En este artículo vamos a cubrir como escribir las reglas de seguridad en Haka con ayuda de profesor de hacking ético. Haka ofrece una forma sencilla de escribir reglas de seguridad para filtrar, modificar, crear e inyectar paquetes. Según expertos de auditoría de seguridad informática, cuando se detecta un flujo con algo malicioso, pueden informar los usuarios o pueden dejar el flujo. Los usuarios pueden definir escenarios más complejos para mitigar el impacto de un ataque. Por ejemplo, se puede alterar peticiones http y obligar a los navegadores obsoletos para actualizar o falsificar paquetes específicos para engañar herramientas de análisis de tráfico.
La siguiente regla es una regla de filtrado de paquetes básico que bloquea todas las conexiones de una dirección de red.
local ipv4 = require(“protocol/ipv4”)
local tcp = require(“protocol/tcp_connection”)
local net = ipv4.network(“192.168.101.0/24”)
haka.rule{
hook = tcp.events.new_connection,
eval = function (flow, pkt)
haka.log(“tcp connection %s:%i -> %s:%i”,
flow.srcip, flow.srcport,
flow.dstip, flow.dstport)
if net:contains(flow.dstip) then
haka.alert{
severity = “low”,
description = “connection refused”,
start_time = pkt.ip.raw.timestamp
}
flow:drop()
end
end
}
Las primeras líneas del código cargan los disectores de protocolo, Ipv4 y TCP explica profesor de hacking ético, Mike Stevens. La primera línea se encarga de paquetes IPv4. Después usamos un disector de TCP de estado que mantiene una tabla de conexión y gestiona flujos de TCP. Las siguientes líneas, definen la dirección de red que debe ser bloqueada.
La regla de seguridad se define a través de palabras clave haka.rule. Según experto de servicios de auditoría informática, reglas de haka son muy útiles. Una regla de seguridad está hecha de un gancho y una función de evaluación eval. El gancho es un evento que activará la evaluación de la regla de seguridad. En este ejemplo, la regla de seguridad se evaluará en cada intento de establecimiento de conexión TCP. Los parámetros pasados a la función de evaluación dependen del evento explica el experto de servicios de seguridad informática. En el caso del evento new_connection, eval toma dos parámetros: flow y pkt. Lo primero de ellos tiene detalles sobre la conexión y el segundo es una tabla que contiene todos los campos del paquete TCP.
Según recomendación de profesor de hacking ético, en el núcleo de la regla de seguridad debemos registrar en haka.log primero alguna información acerca de la conexión actual. Luego, comprobamos si la dirección de origen pertenece a la gama de direcciones IP’s no autorizadas. Si la prueba tiene éxito, elevamos una alerta (haka.alert) y liberamos la conexión. Menciona Roberto Talles, experto de auditoría de seguridad informática que tenga en cuenta que se informa sólo algunos detalles de la alerta. Se puede añadir más información, como el origen y el servicio de destino.
Utilizamos hakapcap herramienta para probar nuestra filter.lua regla en un archivo de pcap trace filter.pcap:
$ hakapcap filter.lua filter.pcap
Haka
De aquí en adelante, en los resultados sale algo de información sobre disectores cargados y reglas registrados. El resultado muestra que Haka logró bloquear conexiones dirigidas a dirección 192.168.101.62:
En el ejemplo anterior, hemos definido una sola regla para bloquear las conexiones. Uno puede escribir un conjunto de reglas de firewall usando la palabra clave haka.group mencionó profesor de hacking ético. En este caso, la configuración, se puede elegir un comportamiento por defecto (por ejemplo, bloquear todas las conexiones) si ninguno de la regla de seguridad autoriza explícitamente el tráfico.
Google won’t lag behind Mozilla and Microsoft.Google has made the move that Mozilla and Microsoft had already announced more than a month ago, and that’s to reveal a revised cutoff date for SHA-1-signed certificates.
According to a recent blog post on the company’s security-themed blog, the company will begin showing a certificate error in Chrome starting January 1, 2016, for all newly issued SHA-1 certificates. Additionally, from January 1, 2017, all SHA-1 certificates will be blocked inside all versions of the Chrome browser.
“In line with Microsoft Edge and Mozilla Firefox, the target date for this step [blocking SHA-1 certificates] is January 1, 2017, but we are considering moving it earlier to July 1, 2016 in light of ongoing research,” explain Lucas Garron and David Benjamin, from the Google Chrome team.
SHA-1 deemed insecure by a recent research paper
The reason most browser vendors are fleeing away from SHA-1 is a recent research paper presented by three researchers from universities in France, Holland, and Singapore. In their study, the researchers were able to break the SHA-1 algorithm with much fewer hardware resources than previously thought, all at an acceptable price, much lower than initially estimated.
Since the cost of breaking SHA-1 was between $75,000 and $120,000 in server bills, easily affordable for cybercrime and state-sponsored groups, the researchers urged companies that still employed SHA-1 certificates to update as soon as possible.
The quickest to react was Mozilla, who, only two weeks later, announced to have established an early cutoff date for SHA1 certificates on January 1, 2017, with the possibility of pushing it to July 1, 2016, if new researcher came out to show the algorithm’s problems.
Two weeks after Mozilla, Microsoft’s Edge team announced the same thing, with the same January 1, 2017, cutoff date, and an optional July 1, 2016, date for emergency situations.
On the other side of the barricade, Facebook and CloudFlare were urging companies to continue to support SHA-1 certificates, but only for older browsers. The reason behind this campaign was the lack of any support for SHA-2 in older browsers. This would effectively cut off a large portion of people from Internet sites that employed modern HTTPS encryption.
Warning shown in Chrome browsers for outdated SHA-1 certs
Calls for ‘Manhattan Project’ to blow up animosity between tech industry and spookhauses.
Democratic presidential front-runner Hillary Clinton has waded deeper in to the debate on encryption with the observation that “maybe the back door is the wrong door”.
Speaking at a debate for Democratic candidates, Clinton was asked if she would legislate “to give law enforcement a key to encrypted technology”.
Clinton’s response was to say “I would hope that, given the extraordinary capacities that the tech community has and the legitimate needs and questions from law enforcement, that there could be a Manhattan-like project, something that would bring the government and the tech communities together to see they’re not adversaries, they’ve got to be partners.”
She went on to say “maybe the back door is the wrong door, and I understand what Apple and others are saying about that.”
That position weakens Clinton’s previous calls for weaker encryption, but just what other “doors” she referred to was not explained. Clinton’s campaign site says defeating ISIS will require “better coordination and information-sharing all around to break up terror plots and prevent attacks—between European governments and law enforcement, between Silicon Valley and Washington, and between local police officers and the communities they serve.”
The nature of the “Manhattan Project” analog on encryption co-operation was not explained, so it’s hard to say just what Clinton imagines might be the outcome of a massive, secret, three-year project. Presumably Clinton’s keen on a scheme whereby law enforcement agencies gain access to encrypted data without compromising privacy. Good luck with that, Hillary, as a vote-winner and technical challenge.
Nothing in Google’s arsenal carries more weight than its search engine rankings. Pair that weapon with a desire to inspire encrypted connections on the web, and you have a pretty powerful combination.
More than a year ago, Google said it was testing a method where a site’s search ranking would be influenced by whether it was using an HTTPS connection. Yesterday, the company announced that it was adjusting its indexing system to look for more HTTPS pages by default.
“Specifically, we’ll start crawling HTTPS equivalents of HTTP pages, even when the former are not linked to from any page,” Google said in its announcement. “When two URLs from the same domain appear to have the same content but are served over different protocol schemes, we’ll typically choose to index the HTTPS URL.”
Google has been a frontrunner in promoting the Electronic Frontier Foundation’s and Tor’s HTTPS Everywhere extension, which offers a secure connection for web requests where none exists. It was also among the first to offer HTTPS by default for Gmail and most of its online services.
It also responded quickly to revelations made in the Snowden documents that the National Security Agency was tapping connections between its overseas data centers by encrypting those critical connections.
Yesterday’s announcement does hinge on a handful of conditions, Google said:
It doesn’t contain insecure dependencies.
It isn’t blocked from crawling by robots.txt.
It doesn’t redirect users to or through an insecure HTTP page.
It doesn’t have a rel=”canonical” link to the HTTP page.
It doesn’t contain a noindex robots meta tag.
It doesn’t have on-host outlinks to HTTP URLs.
The sitemaps lists the HTTPS URL, or doesn’t list the HTTP version of the URL.
The server has a valid TLS certificate.
“Although our systems prefer the HTTPS version by default, you can also make this clearer for other search engines by redirecting your HTTP site to your HTTPS version and by implementing the HSTS header on your server,” Google said.
Hay un aumento de ciudadanos que han sido víctimas de robos de identidad y uso no autorizados de tarjetas de crédito por culpa de empresas que manejan datos irresponsablemente. Según estudios de las empresas de protección de datos personalesen países como México, Brasil, Estados Unidos, Colombia, Argentina, India la protección de datos personales es una preocupación primordial de los ciudadanos por lo que omitir cumplir con ese marco normativo puede ser un impedimento y puede causar la pérdida de las oportunidades de negocio. Los datos personales representan a toda aquella información de una persona que afirma su identificación. Los datos personales incluyen el lugar de nacimiento, lugar de residencia, trayectoria académica, laboral, o profesional, estado civil, edad, estado de salud, vida sexual, características físicas, ideología política y otros aspectos. Los datos personales ayudan una persona para que pueda interactuar con empresas y/o entidades por sus servicios. Este intercambio causa el crecimiento económico y el mejoramiento de bienes y servicios. Por resolver ese problema la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) fue aprobada hace unos años con el motivo de proteger a los ciudadanos de malos usos y abusos de datos personales que se llevan a cabo día a día por empresas y/o entidades sin políticas de protección de datos personales en países como México, Argentina, India y otros. La ley de protección de datos personales reconoce y protege el derecho que tienen todas las personas a acceder, actualizar y rectificar los datos personales que se hayan recogido sobre ellas así como a la oposición a su tratamiento por entidades de naturaleza pública o privada. Los datos personales que tengan por finalidad de la seguridad, defensa nacional, información de inteligencia y de los censos de población – vivienda no son considerados parte de ley de seguridad de datos personales. Según empresas de protección de datos personales ahorita todas las entidades que manejen datos personales serán obligadas a considerar el derecho de la privacidad y se tendrán que adaptar a normativas que garanticen el tratamiento y seguridad de datos personales. La ley de protección de datos personales también otorga el derecho a los ciudadanos de pedir todos los datos personal que una empresa tenga de él. Englobando la necesidad de la implementación de políticas de protección de datos personales para la cancelación y eliminación de datos personales. Empresas y/o entidades que no cumplan con esta ley se enfrentarán a multas. Hay muchas ventajas de adaptación a ley orgánica de protección de datos personales. Por ejemplo la ley de protección de datos personales de Europa aprueba la transferencia de datos personales de los ciudadanos hacia terceros países que brinden un nivel de protección adecuado a dicha información, reflexionando la naturaleza de los datos, la finalidad, duración del tratamiento y las normas de seguridad. Si un país adapta con dicha regulación de seguridad de datos personales, hay posibilidades de incrementos exponenciales en la inversión extranjera.
ADAPTACIÓN A LA LEY ORGÁNICA DE PROTECCIÓN DE DATOS PERSONALES
Empresas y/o entidades deberán cumplir la obligación normativa para adaptación LOPD (Ley orgánica de Protección de Datos). Según los consultores de empresa de protección de datos personales, el cumplimiento de las obligaciones legales en materia de protección de datos es indispensable. Las agencias de protección de datos cuentan con grandes equipos de inspectores que hacen auditoria de las políticas de protección de datos personales y se aplican multas junto con las sanciones, mediante denuncia de cualquier afectado. Puntos a tener en cuenta durante adaptación a la ley de protección de datos personales:
Los sistemas de datos personales en posesión de empresas y/o entidades deberán registrarse con la agencia de protección de datos. El registro debe presentar la información como nombre y cargo del responsable, propósito del sistema, naturaleza de los datos personales, proceso de adquirir, proceso de actualización de los datos, forma de interrelacionar los datos, duración de conservación de los datos, soluciones de seguridad de datos personales implementadas. • Cuando las empresas y/o entidades consigan los datos personales deberán avisar previamente a los interesados de la existencia de un sistema de datos personales, proceso del tratamiento, la finalidad de los datos, los destinatarios, los derechos de acceso, rectificación, cancelación y oposición (ARCO). • Las empresas y/o entidades designarán al responsable de los sistemas de datos personales. • Cumplir con las políticas de protección de datos personales y reglamentos así como las normas aplicables para los servicios de protección de datos personales. • Manejar los datos personales exclusivamente cuando éstos guarden relación con el propósito para la cual se hayan conseguidos. • Adoptar las soluciones de protección de datos adecuadas para manejar las solicitudes de acceso, rectificación, cancelación y oposición de datos personales; debiendo capacitar a los servidores públicos con curso de protección de datos personales. • Adaptación de las medidas de seguridad para la protección de datos personales o tomar servicios de seguridad de datos personales y comunicarlas a la agencia de protección de datos. • Modificar los datos personales cuando haya lugar, debiendo corregir o completar de oficio aquellos que fueren erróneos o parciales, siempre y cuando se cuente con el documento de seguridad que acredite la actualización de dichos datos. • El cliente tiene el derecho para solicitar la rectificación o cancelación de los datos personales que le corresponden. • Coordinar y supervisar la adopción de las soluciones de protección de datos por consultaría de protección de datos o empresa de adaptación LOPD acuerdo con las políticas de protección de datos personales vigentes. • Implementar los criterios específicos sobre el manejo, mantenimiento de la solución de datos personales. • Construir un plan de cursos de protección de datos personales. Todos los oficiales de departamento de protección de datos deben tomar curso de protección de datos personales. • Llevar a cabo o regularizar la ejecución de las diferentes operaciones y modos en que consista el tratamiento de datos y sistemas de datos de carácter personal implementados por servicios de seguridad de datos personales. • Informar al interesado al momento de conseguir sus datos personales, sobre los sistemas de datos personales y las soluciones de seguridad de datos personales implementadas por empresas de protección de datos personales y adaptación LOPD.
LAS MEDIDAS DE SEGURIDAD
Según los consultores de empresa de protección de datos personales las empresas y/o entidades deben establecer las medidas de seguridad técnica y organizativa para garantizar la confidencialidad e integralidad de datos personales que posean, con el propósito de preservar los derechos tutelados, frente a su modificación, pérdida, transmisión y acceso no autorizado. Las medidas de seguridad de datos deben ser adoptadas en relación con el mayor grado de protección que ameriten los datos personales. Las medidas de seguridad adoptadas deben conforme a los diferentes tipos de seguridad:
Seguridad Física: Eso incluye la protección de instalaciones, equipos para la prevención de casos accidentales o casos de fuerza mayor. Seguridad Lógica: Eso incluye las medidas de identificación y autentificación de las personas o usuarios autorizados para el acceso y modificación de los datos personales. Aplicaciones: Pertenece a las permisiones con las que deberá contar la creación o tratamiento de sistemas de datos personales, para garantizar el uso adecuado de los datos, previendo la participación de usuarios no autorizados, la separación de entornos y pruebas de controles de seguridad. Encriptación: Eso incluye uso e implementación de algoritmos de cifrado, claves, contraseñas, así como medidas concretas de protección que garanticen la integralidad y confidencialidad de los datos sensibles. Comunicaciones de redes: Se refiere uso de soluciones de protección de datos como un sistema que monitoriza la red de comunicaciones en busca de actividad no permitida o brecha de seguridad, así como para el manejo de telecomunicaciones.
Acuerdo con los expertos de servicios de seguridad de datos personales, siguientes son los controles de seguridad cuya aplicación es obligatoria para todos los sistemas de datos personales para asegurar cumplimento de ley de protección de datos personales :
Implementación de documento de seguridad.
• Mantener documentación de funciones y obligaciones del personal responsable en el tratamiento de datos personales.
• Registro de acceso e incidencias.
• Sistema de identificación y autentificación.
• Gestión de soporte, acceso físico y lógico.
• Sistema de copias de respaldo y recuperación.
• Administrar políticas de auditoría.
• Pruebas de penetración y vulnerabilidades.
• Distribución de soporte.
• Registro de Telecomunicaciones.
Las medidas de seguridad de datos mencionadas constituyen mínimos exigibles, por lo que las empresas y/o entidades adoptarán las medidas adicionales que estime inevitables para ofrecer mayores garantías en la protección y resguardo de los sistemas de datos personales. Las empresas y/o entidades deben tomar ayuda de consultoría o empresa de protección de datos personales para implementar los servicios de seguridad de datos personales. Para que su empresa esté cubierto en materia de la ley de protección de datos, pueden tomar ayuda de empresas como Instituto Internacional de Seguridad Cibernética que ofrecen las herramientas a través de los servicios de protección de datos personales y curso de protección de datos personales que le permitirá realizar la adaptación LOPD de su negocio y mantenerlo actualizada en todo momento según requerimientos de la normativa vigente. Losservicios de seguridad de datos personales y adaptación a la LOPD ayudan clientes con:
Durante la adaptación a la LOPD hacen análisis de la empresa y los procesos de tratamiento de datos personales. Obtienen información detallada sobre la empresa, los archivos de datos de carácter personal, procedimientos establecidos, flujos de la información y el grado de cumplimiento de la reglamento. • Coordinan análisis de los sistemas de datos personales junto con desarrollo de procedimientos y documentación exigible a la norma como parte de los servicios de protección de datos personales. • Con el curso de protección de datos personales enseñan el desarrollo de la cobertura legal de la empresa y capacitando las buenas prácticas de seguridad informática a los usuarios del sistema de información. • Proporcionan los servicios de auditoría de protección de datos personales junto con la entrega del documento de seguridad, servicio de evaluación de las medidas de seguridad implantadas y certificación LOPD. Además enseñan cómo hacer todo eso durante la capacitación de protección de datos personales.
El curso de protección de datos personales está dirigido a directores, encargados de departamento legal, profesionales de departamento de TI y todas las personas que deseen conocer los requisitos de la Ley Federal de Protección de Datos Personales en Posesión de Particulares. El curso de protección de datos personales está muy práctico y cubre los siguientes temas:
Introducción a LFPDPPP. • Ambiente de adaptación LOPD. • Tipo de datos personales y los derechos de acceso, rectificación, cancelación y oposición (ARCO). • Foros y agencias de Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP). • Análisis detallado de los flujos de datos. • Auditoria de procedimientos y arquitectura empresarial. • Implementación de documento de seguridad, medidas y servicios de seguridad de datos personales. • Implementación con una metodología definida con la experiencia y recomendada por las normas internacionales. • Manejo de incidentes de brecha de datos personales, sanciones y denuncia por parte de los interesados.
A teenager hacked into an airline’s website, stealing sensitive information, and ripping off customers. (Photo: Thinkstock)
Most teenagers make money by flipping burgers at McDonalds.
This teen made money by defrauding travelers.
Police have arrested a 19-year-old man in Dalian, China after he was caught hacking into an airline’s website, stealing booking information from 1.6 million ticket orders, and ripping off hundreds of travelers.
When all was said and done, the teen whose surname is Zhang, made off with approximately 1.1 million Yuan ($170,000 USD).
Using the information he gathered, he would text customers and alert them that their flight was canceled. From there, he asked people to re-book flights, and pocketed the money customers spent on re-booking fees.
According to People’s Daily Online, the hacks happened between July 31 and August 20 of this year. The airline announced the breach on August 22nd after several fraud complaints from customers.
Officials also report that the hack caused the airline to lose 80,000 Yuan ($12,365 USD) from repaying customers.
The Guangzhou web police arrested Zhang on Nov. 11.
Currently, it’s not known what the charges will be.
There is an increase in people who have been victims of identity theft and unauthorized use of credit cards because of many companies that handle data irresponsibly. According to many studies done by a personal data protection companyin countries such as Mexico, Brazil, United States, Colombia, Argentina, India, the personal data protection & privacy is a primary concern of the people, thus failure to comply with the regulatory framework can be an obstacle and can cause loss of business opportunities.
The personal data represents all the information of a person which affirms his/her identification. Personal data includes place of birth, place of residence, academic, employment, professional career, marital status, age, health, sex life, physical characteristics, political ideology, and other aspects. The personal data can help a person to interact with business and/or organizations for their services. This exchange of information causes economic growth and improvement of services.
To resolve this problem privacy & personal data protection law was adopted in countries such as Mexico, Argentina, India and others some years ago with the purpose of protecting citizens from personal data misuses and abuses that happen every day by companies and/or organizations. The personal data protection law recognizes and protects the rights that people have to access, update and correct their personal data that has been collected as well as the right to oppose personal data processing by public or private entities. The personal data that’s involved in national security, national defense, intelligence and population censuses – housing information are not considered part of personal data protection law.
According to a personal data protection company, now all entities that handle personal data will be forced to consider the right to privacy and will need to adapt to regulations which will ensure safe treatment of personal data. The privacy & personal data protection act also gives people the right to request for all their personal data that a company has. Thus generating the need to implement personal data protection solutions, policies for cancellation and removal of personal data. Companies and/or organizations that do not comply with this law will face sanctions & fines.
There are many advantages of implementing personal data protection solutions. For instance the European privacy & personal data protection law approves the transfer of personal data of European citizens to a third country that has an adequate level of data protection system established for such information, depending upon the nature of the data, the purpose, duration of processing and safety standards. If a country adapts to the international privacy & personal data protection regulations, there are possibilities of exponential increase in foreign investments in that country.
IMPLEMENTING PRIVACY & PERSONAL DATA PROTECTION LAW
Companies and/or organizations must comply with the statutory obligation of implementing personal data protection system. According to various enterprise data protection services consultants, compliance with legal obligations in the field of data protection is essential. Data protection agencies have big teams of inspectors to make an audit of personal data protection system and apply fines along with sanctions, through a complaint of any affected person. Points to consider while implementing privacy & personal data protection law:
• All the personal data processing systems belonging to companies and/or organizations must be registered with the data protection agency. The registration must submit information such as name and title of the person responsible, purpose of the system, the type of the personal data processed, process of acquiring, process of updating data, methods of interrelating data, duration of holding data and personal data security solutions implemented.
• When the companies and/or organizations get personal data, all the interested parties must be advised prior about the existence of a personal data protection system, data treatment process, the purpose of collecting data, the recipients of data, the rights of access, rectification, cancellation and opposition to data processing.
• Companies and/or organizations will designate a person responsible for personal data processing systems.
• Comply with the personal data protection policies and regulations as well as standards for enterprise personal data protection services.
• Process personal data only when they relate to the purpose for which they were collected.
• Implement appropriate enterprise data protection solutions to manage all the requests for access, rectification, cancellation of personal data; also enterprises must provide data protection training course to all public servants.
• Implement security measures for via enterprise data protection services and inform about the changes to the data protection agency.
• Modify personal data when appropriate, correcting the incorrect data and completing the partial data. All these changes must be logged in a security document.
• The client has the right to request the correction or deletion of his personal data.
• Coordinate and review the implementation of data protection solutions by enterprise data protection company and make sure it’s done as per the data protection norms.
• Implement specific set of policies for the management and maintenance of the personal data processing system.
• Develop a personal data protection training course plan. All the professionals of data protection department must take data protection training.
• Conduct or regularize the execution of the operations of data processing systems implemented by any personal data protection company.
• Inform the client when obtaining their personal data about personal data processing systems and data protection solutions implemented by personal data protection companies.
SECURITY MEASURES FOR DATA PROTECTION
As per experts from personal data protection company, businesses and/or organizations should establish technical and organizational security measures to ensure the confidentiality and integrity of personal data with the objective of preserving the data protection rights, against modification, loss, transmission and unauthorized access. All the data security measures should be implemented with respect to the highest degree of protection of personal data. The security measures should be according to following types of security:
Physical Security: This includes the protection of facilities, equipment to prevent accidental incidents cases or force majeure. Logical Security: This includes measures for identification and authentication of people or users authorized to access and modify personal data. Applications: It represent the permissions which personal data processing system should manage, to ensure proper use of data, preventing the participation of non-authorized users, separation of environments and penetration testing controls. Encryption: This includes implementation and use of encryption algorithms, keys, passwords, and specific protection measures to ensure the integrity and confidentiality of the sensitive personal data. Network Communications: This refers use of enterprise data protection services that includes use of network monitoring system that constantly monitors network communications and blocks any kind of suspicious activity or security breach.
According to experts from enterprise data protection company, following are the security checks which are mandatory for all personal data processing system to ensure compliance with the privacy & personal data protection law:
• Implementation of the security policies.
• Maintaining documentation of roles and responsibilities of personnel responsible for the processing of personal data.
• Access and incidents logging.
• Identification and authentication system.
• Support management, physical and logical access.
• System backup and recovery.
• Manage audit policies.
• Vulnerability and penetration testing.
• Support Distribution.
• Telecommunications Records.
The data security measures mentioned above constitute minimum requirements, so the companies and/or organizations should take additional inevitable measures to provide greater protection of personal data. Companies and/or organizations should take help of personal data protection company or personal data protection service consultants to implement personal data protection services & solutions.
To make sure that your company is covered with regards to privacy & data protection law, organizations like International Institute for cyber security offers tools through enterprise data protection services and personal data protection training course, which will allow you to implement data protection law and keep your business updated at all times according to requirements of the legislation. The enterprise data protection services and personal data protection solutions help customers with:
• During the implementation of privacy & data protection law they do detailed analysis of the company’s processes for management and processing of personal data. They get detailed information about the company, the personal data files, established procedures, flow of information and the degree of compliance with the regulation.
• They coordinate analysis of personal data processing systems along with development of procedures and documentation required according to the standards, as a part of our enterprise data protection services.
• In the personal data protection training they teach the development of data protection policies and best information security practices for general and technical users.
• During our personal data protection audit services they delivery data protection policies document, evaluation of the security measures implemented and data protection law certification. In addition they teach how to do all this during our personal data protection training, so that you can be an enterprise data protection services expert.
The personal data protection course is aimed at managers, legal and IT department professionals and all the people who wish to understand the privacy & data protection law. The personal data protection training is very practical course and covers the following topics:
• Introduction to data protection & privacy law.
• Implementation of environment for data protection & privacy law.
• Types of personal data and rights of access, rectification, cancellation and opposition.
• Data protection agencies and regulations.
• Detailed dataflow analysis.
• Enterprise architecture and audit procedures.
• Implementation of data protection solutions and enterprise data protection services with a methodology defined by our experience and recommended by international standards.
• Incident management procedures for handling personal data breach, sanctions and privacy complaints.
Pupy is a RAT that works on Windows, Linux, and Mac. Developers never stand still, and regardless of whether they are penetration testers or malware creators, new hacking tools always hit the market on a weekly basis.
Today we meet Pupy, a Remote Access Tool (RAT) launched past September and written entirely in Python code.
Pupy is cross-platform compatible, meaning it can run on all three major operating systems, and allows attackers a wide range of options when spying on their targets.
Pupy features a fileless operation mode
Despite support for all three OSs, Windows is where Pupy works best, the RAT featuring 100% in-memory functionality. This is achieved because the Pupy payload is compiled as a reflective DLL, loading an entire Python interpreter inside the target’s memory, and working without ever touching the hard drive’s disks.
This makes detection by classic antivirus solutions a little bit harder and gains more crucial times for any operator to exfiltrate data.
Pupy features a modular structure, allowing developers to deploy a basic wireframe on infected systems, and then load modules into memory as they are needed.
A diversified attack spectrum via Pupy’s modular makeup
Some of the functionality covered by these modules includes the ability to migrate into other processes running on the victim’s OS, running modules as background jobs, an interactive reverse shell, and auto-completion for commands and arguments.
Additionally, attackers can upload and download files from infected systems, they can take desktop screenshots, webcam screenshots, forward local ports, log mouse and keyboard inputs, and execute shell code.
All communications between the Pupy bots and the main server are done via SSL (by default), but four more other transport channels are also supported.
Since Pupy comes with its own Python interpreter, Pupy modules can be simple Python files or compiled Python C extensions. This makes writing Pupy files a whole lot easier, since Python is one of the most widespread and easier-to-learn programming languages around.
Pupy’s source code is available under the BSD license, on Github. By taking a quick look at the project’s milestones, expect future Pupy versions to be able to record microphone sounds, support more transport layers, record network traffic, and be more silent on *NIX machines.
List available modules (the list is not up to date)
One month after cutting OneDrive storage limits for customers and completely axing ‘unlimited’ cloud storage, Microsoft has apologised and is offering to give something back. But users will still need to opt-in, and the bonuses won’t last forever.
Microsoft has back-pedalled on cuts it made to OneDrive cloud storage limits last month, giving back some of the data allowances it was set to take away and apologising for putting the blame on users for excessive use. But customers will still need to opt-in to keep their bonus storage, and the changes will expire after a year.
The company confirmed the changes in a post on its OneDrive user forum, offering users “impacted” by the changes the opportunity to get additional storage for a limited time, and the chance to opt-in to keep free storage bonuses when OneDrive plans are overhauled early next year.
The mea culpa comes a month after Microsoft announced major changes to its cloud storage, halving storage limits for paid plans (whilst keeping the price unchanged), reducing limits on free plans from 15GB to 5GB, ditching its 15GB camera roll storage bonus and completely scrapping ‘unlimited’ storage for all users.
The company is hoping the move will appease customers and curry some favour in an already competitive cloud storage market.
Microsoft is up against rivals such as Dropbox, Google Drive and the Apple-centric iCloud, all hoping to be the one place that users can store all their files to get cloud-based access from anywhere. While each provider offers free storage, these companies generate their revenue through paid plans, and storage limits are king in deciding where customers are willing to hang their hat (and their files).
But Microsoft’s group program manager Douglas Pearce came hat in hand to customers, apologising for recent changes to OneDrive plans and the way they were communicated. In his post on the OneDrive user forum, Pearce said “the announcement came across as blaming customers for using our product” and Microsoft was “genuinely sorry for the frustration this decision has caused.”
That blame referred to Microsoft calling out “a small number of users” on unlimited plans for “extreme backup scenarios,” in some cases, storing up to 75TB of data in the cloud.
While Microsoft initially set about curtailing use, Pearce said paying Office 365 Home, Personal, and University customers would continue to receive 1TB of storage, and users who received additional storage as part of Microsoft’s unlimited offer would keep this limit for at least 12 months.
To make good with disgruntled customers of the free service, anyone with more than 5GB of content stored in the cloud (under the former 15GB free storage limit) will receive a free Office 365 Personal subscription for one year. The offer will come via email early next year and will bring with it 1TB of storage.
Finally, Microsoft is offering an opt-in for its “biggest fans” to keep their 15GB of free storage after storage limits are cut early next year (and to keep their 15GB camera roll bonus, if they currently have that in place). And what constitutes being a fan? Going to the OneDrive website before the end of January 2016 and logging in to get the bonus.
While the changes may go some of the way to pacifying customers upset about the storage cuts, they still only go part of the way to clawing back the cuts made in November. What’s more, customers will need to be existing heavy users to take advantage of the bonuses, or opt in for an increase. There’s also no word on whether or not the changes will last longer than the single year.
Censys is a new Search Engine for devices exposed on the Internet, it could be used by experts to assess the security they implement.
Now the hackers and experts have a new powerful tool for their analysis, it is Censys, a search engine quite similar to the most popular Shodan. Censys is a free search engine that was originally released in October by researchers from the University of Michigan, it is currently powered by Google.
Censys is a search engine that scans the Internet searching for devices and return aggregate reports on how resources (i.e. Devices, websites, and certificates) are configured and deployed.
Censys daily scans of the IPv4 address space searching for any devices and collecting related information.
“Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.” states the description on the Censys official website.
Censys, like Shodan, maintains a complete database of every device exposed on the Internet. It represents a privileged instrument for the hackers that have to search for a specific target and need to gather information on its configuration. At the same time, security experts could easily locate poorly protected devices exposed over the internet.
“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan and inventor of ZMap.
Censys was developed as a part of an open source project that aims at maintaining a “complete database of everything on the Internet,” the intent is to help security experts to assess the security of products and services exposed on the Internet.
Censys uses ZMap, a network scanner that analyzed 4 Billion IP addresses and collect information on a daily basis, and ZGrab, as an application layer scanner. The Censys architecture and the functions it implements are detailed in the research paper.
ZMap is able to scan specific machines searching for security vulnerabilities that could be potentially exploited.
Let me suggest to read the MIT Technology Review on Censys, entitled “A Search Engine for the Internet’s Dirty Secrets,” but most interesting is the step-by-step tutorial published by the development team.
Censys is already used by security experts, recently the researchers from SEC Consult have found that IoT devices are re-using cryptographic keys, leaving in danger millions of devices.
The experts analyzed 4000 firmware and found around 580 unique private keys, the use of Scans.io and Censys.io allowed them to discover that the same set of keys was widely re-used, on 580 keys, 230 are actively used.
Safe browsing mode extended to fool phishing without increasing boosting batteries.
Google has extended its anti-social engineering Chrome tool to Android, making big efforts to reduce blacklists bandwidth costs along the way.
The Red Screen of malware Dearth officially branded Safe Browsing has long been a feature of Chrome desktop platforms where bandwidth and processing requirements are much less restrictive.
There the red splash screen has walled off all but the most persistent to be pwned users from websites known to have hosted malware, advertising injectors, or other web scum.
Safe Browsing and Chrome team bods Noé Lutz, Nathan Parker, and Stephan Somogyi say they have taken their time to beat the red screen into a form that is as light as possible such that users in bandwidth-sparse and patchy connectivity countries can receive at least the most critical blacklists.
“Bytes are big: our mantra is that every single bit that Safe Browsing sends a mobile device must improve protection,” the team says.
“Network bandwidth and battery are the scarcest resources on a mobile device, so we had to carefully rethink how to best protect mobile users.
“Some social engineering attacks only happen in certain parts of the world, so we only send information that protects devices in the geographic regions they’re in.”
Updates will push the most important blacklisted websites first so that failed connections have a chance to protect users from the most active and risky attacks.
They also hauled in the Choc Factory’s compression team to help make Safe Browsing “extra stingy” in respect to memory, processor, bandwidth, and battery use.
The protection comes activated by default with the latest version of Chrome on Android and with the recent Google Play Services version 8.1.
Android KitKat (version 4.4) is tragically still the most widely-used Android type running on more than a third of handsets. The combined Android Lollipop (versions 5.0 – 5.1.1) operating systems are found on 29.5 percent.
It is not clear what version of Play Services and Chrome those Android slackers can get, and therefore whether the Safe Browsing experience is open to them, but the trend to update to Lollipop is sweetening: In October, about 30 percent of users ran horrid Jelly Bean versions 4.1 to 4.3.1 and few ran the latest operating systems.
According to a new report published by Trend Micro, the North American cyber criminal underground is very easy to access.
The new report released by Trend Micro reveals that the cyber criminal underground market in North America isn’t so hidden like in other countries.
“It doesn’t exist in the dark web as much as other undergrounds do, or practice as much security,” ,”Essentially, it’s become a gun show for everyone as long as they can participate and are willing to pay.” says Tom Kellermann, chief cybersecurity officer at Trend Micro.
“The North American Underground primarily caters to customers within the region–users based in the United States (US) and Canada. Unsurprisingly, most of the offerings (stolen accounts, products and services, and fake documents) are US based. This is consistent with what we see in the Japanese1 and Brazilian2 undergrounds and suggests that US-based information is most sought after in it.” states the report.
Gigging in the underground markets users can buy, guns, drugs, hacking services, bulletproof vests, and even money laundering services or maybe hire a murder.
It could be useful to help different criminal activities, tradition organized criminals are becoming “cyber aware” and now do their business through the internet.
“We’ve done studies and exposes of the most significant undergrounds in the world,” “The U.S. underground doesn’t practice operational security. They’ve essentially become a shopping mall.”
Of course, law enforcement is aware of this trend and probably in the future more of these underground markets in response to the increasing pressure of the authorities will migrate to the darkweb, where they would be more protected.
In the decade of 2000, law enforcement agencies were doing very well, and almost every U.S cyber-criminal underground was dismantled, but in the last 3 years, the criminal underground market did a came back and its getting stronger.
“It’s larger because it’s providing a wider multiplicity of goods and services,”. “They’re there for the drugs, weapons, passports, stolen cards, and murder for hire.
Looking at the numbers, it can be seen that drugs it’s the popular item in the criminal underground ecosystem, getting 62% of the market, but also its interesting to see that stolen data dumps account gets 16%, fake documents 4%, weapons 2%, and murder for hire 1%.
In terms of “murder for hire“, you have some options available like a simple beating for $3,000, or an “accidental death” for $900,000.
The last bit that we hadn’t covered yet was the crimeware that takes 15% of the market and include things like, buying malware, hacking services.
Other best seller besides drugs are malware, and the service provider for the malware does his homework, encrypting the malware multiple times as needed until the malware can pass undetectable through the endpoint products.
“it’s why targeted attacks have become so prevalent,”,”They will make sure their attacks cannot be stopped by perimeter defenses.”
Talking about differences in countries, Kellerman explains:
“In the Russian or Chinese underground, they won’t sell you the back door into the system,”,”That’s a North American phenomenon. It’s like, I broke into a house last night, I made a duplicate of the key. You want it, you got it.”
One of the main reasons why nowadays we read about the cyber criminal underground in the news is because doing illegal activities in the cyberspace is becoming even more easy and cheap.
The model of sale known as crime-as-a-service is attracting the organized crime and is allowing a rapid growth of illegal activities online.
About the Author Elsio Pinto
Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge.
Private key for Xbox Live domain leaks online. Microsoft’s security staff has detected an issue with one of the company’s SSL certificates issued for the *.xboxlive.com domain and has decided to revoke it and avoid exposing customers to MitM (Man in the Middle) attacks.
The problem relates to a private key that was used to validate one of the Xbox Live SSL certificates, employed to establish HTTPS connections on the xboxlive.com website.
This private key was leaked online, and Microsoft can’t explain why. To safeguard users from any instances where this key would be used in MitM attacks to intercept xboxlive.com HTTPS traffic, the company has revoked the SSL certificate that the key validated.
Microsoft has revoked the dirtied certificate
“To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” Microsoft notes in one of its security advisories.
Microsoft has started pushing updates to all products to fix the issue. More recent products like Windows 10, Windows 8.1, Windows 8, Windows 10 Mobile, Windows Phone 8.1, Windows Phone 8, and Windows Server 2012 come equipped with an automatic certificate trust list updater.
For users running older versions of Windows, they’ll have to install KB 2677070, an update that added a similar mechanism for automatically updating certificate trust lists.
Low chances of having previously been exploited in the wild
Despite the severity of the situation, the chances are low that any attacker might have used this particular leaked private key in real-world attacks.
For starters, they would have had to be aware the private key was leaked, and then they would have needed to compromise a server that stands between Xbox Live customers and the Microsoft servers so that they’d be able to intercept traffic.
If such criteria were satisfied, the attacker could have intercepted details about the various Xbox Live payments the company’s customers make on a daily basis.
Haka es un lenguaje de seguridad orientado a código abierto que permite especificar y aplicar las políticas de seguridad Informática en el tráfico capturado en vivo. HAKA se basa en Lua y es un lenguaje sencillo, ligero y rápido. El alcance de Haka es doble explican consultores de empresa de seguridad informática y hacking ético. En primer lugar, permite la especificación de las normas de seguridad para filtrar flujos no deseados y reportar actividades maliciosas. Haka proporciona un API simple para la manipulación del tráfico corriente. Uno puede descartar paquetes o crear otros nuevos e inyectarlos. Haka también apoya la modificación de paquetes en la marcha. Esta es una de las principales características de Haka desde todas las tareas complejas tales como el cambio de tamaño de paquetes, ajuste correctamente de los números de secuencia. Esto se hace en vivo sin la necesidad de un proxy y se realiza todo de forma transparente para el usuario.
En segundo lugar, Haka permite la especificación de protocolos y estado subyacente de todo. Haka es compatible con ambos tipos de protocolos: protocolos basados en binario (por ejemplo, DNS) y protocolos basados en texto (por ejemplo, http). La especificación cubre los protocolos basados en paquetes, tales como IP, así como los protocolos basados en secuencias como http.
Según consultores de empresa de seguridad informática y hacking ético, HAKA se encaja en un marco modular. Incluye varios módulos de captura de paquetes (pcap, nfqueue) que permiten a los usuarios finales a aplicar su política de seguridad informática en el tráfico capturado vivo. El marco proporciona el registro (syslog) y alerta de módulos (Syslog, Elasticsearch). Por último, el marco tiene módulos auxiliares, tales como un motor de búsqueda de patrones y un módulo de desensamblador de instrucciones. Estos módulos permiten escribir las reglas de seguridad informática de grano fino para detectar malware ofuscado. Haka fue diseñado de manera modular, permitiendo a los usuarios a ampliarlo con módulos adicionales.
Haka proporciona una colección de cuatro herramientas importantes para consultores de empresa de seguridad informática y hacking ético:
haka. Es el programa principal de la colección. Está diseñado para ser utilizado como un daemon para controlar los paquetes en el fondo. Los paquetes son disecados y filtrados de acuerdo con el archivo de políticas de seguridad especificadas. Haka toma como entrada un archivo de configuración. Este archivo script se carga disectores de protocolo típicamente incorporados o definidos por el usuario y define un conjunto de reglas de seguridad.
hakactl. Esta herramienta permite controlar daemon. Uno puede obtener estadísticas en tiempo real en los paquetes capturados, inspeccionar los registros o simplemente apagar/reiniciar el daemon.
hakapcap. Esta herramienta permite reproducir un archivo de política en una captura de paquetes utilizando el módulo pcap. Por ejemplo, esto es útil para realizar análisis forense y hacking ético de la red.
hakabana. Esta herramienta permite la visualización y monitoreo de tráfico de red en tiempo real utilizando Kibana y Elasticsearch según expertos de empresa de seguridad informática. Hakabana consiste en un conjunto de reglas de seguridad que lleva información sobre el tráfico que pasa a través de Haka en un servidor de elastisserach y muestra a través de una consola Kibana. Un panel adicional también está disponible para visualizar alertas de Haka.
Vamos a cubrir eso en próximo artículo más sobre Haka con ayuda de unos expertos de hacking ético
Cyber Security 