2015/12/01

Millions of Internet Things are “secured” by the same “private” keys

Millions of Internet Things are “secured” by the same “private” keys

European security consultancy SEC Consult has spent time over the past few years looking at embedded devices on the internet.
Embedded devices are what you might call the high end of the Internet of Things (IoT) – or, to use the cynic’s description: tiny computers, usually built down to a price, embedded in houselhold devices for which form, function and price come way ahead of security, if security is even considered at all.
SEC Consult has examined thousands of devices such as internet gateways, routers, modems, IP cameras, VoIP phones, and more, from over 70 vendors.
The researchers took two approaches:
  • Analyse device firmware images for cryptographically-related content. (Many devices are Linux-based, so the firmware and its source code are supposed to be public.)
  • Perform internet scans to examine devices that are connected to the internet. (This is not hacking, just looking for services that are already explicitly available from the public side of the network.)
One of the things they looked for was cryptographic keys for the SSH and TLS protocols.
SSH is typically used to secure remote logons or file copying; TLS is typically used to secure web traffic using HTTPS.
Both these protocols use what’s called public-key cryptography, where the server generates a special keypair when it is installed or first starts up, consisting of:

  • public key, which you tell to everyone, used to lock transactions to and from the server.
  • private key, the only way to unlock data that was locked with the public key.
The idea is simple: by having a two-key lock of this sort, you don’t have to share a secret key with the other end before you first communicate, and you don’t have to worry about sharing that secret key with someone who later turns out to be a crook.
The vital part of this two-key system is the rather obvious requirement that you keep the private keyprivate, thus the name private key.
Generally speaking, your private key is for you to use on your server, to secure your (and your customers’) traffic.
If you let anyone else get a copy of your private key, you’re in real trouble, because they could set up an imposter site, and use your private key to convince visitors that they were you.
Or they could intercept traffic between you and your customers, and use your private key to unscramble it later on.
Carelessness with a private key is like letting someone else borrow your signing seal. (These are still widely used in the East, though they have long died out in the West.)
With your signet ring on his finger, a crook could sign a completely fake document in our name, or open up a sealed document you’d already sent and then re-seal it so the recipient would never know.
You’d think, therefore, that private keys on embedded devices would be something any vendor would take seriously: one device, one key, generated uniquely and randomly, either on first use or securely in the factory.
But SEC Consult found the following rather alarming facts:
  • 3.2 million devices were using one of just 150 different TLS private keys.
  • 0.9 million devices were using one of just 80 different SSH private keys.
Remember, these were all keys that the researchers found uncontroversially by looking, without any hacking, whether white-hatted, grey-hatted or black-hatted.
In other words, we should assume that every cybercrook worth his salt (yes, that’s a pun!) already has these 230 digital signet rings handy, ready to wield them whenever convenient.
Worse still, as SEC Consult points out, it’s extremely unlikely that all of the millions of devices mentioned above were supposed to be accessible, whether by TLS or SSH, over the internet, especially since many of the TLS-protected web services, and most of the SSH ones, relate to administration and configuration of the device itself.
On most networks, administration access is supposed to be limited to users on the internal network, if only to reduce the number of places from which a crook could try connecting.

WHAT TO DO?

If you create firmware for embedded devices:

  • Don’t share or re-use private keys. If you generate firmware files for each device, customise the keys in each firmware image and use it once only. If you generate keys when the device first starts up, don’t rely on “random” data sources that are likely to be the same on every router at first boot (e.g how long since the power came on, or how much memory is installed).
  • Don’t enable remote administration by default.
  • Don’t let users activate a new device until they have set all necessary passwords. In other words, get rid of default passwords – every crook has a list of what they are.
If you use embedded devices:

  • Set proper passwords before taking the device online.
  • Only turn on remote administration when genuinely necessary. Also, consider two-factor authentication for external users, to reduce the risk posed by stolen passwords.
  • Verify your remote access settings. Consider using a network diagnostic tool such as nmap. You may as well scan your own network for security mistakes. The crooks will!
  • Re-generate cryptographic keys, if you can, as part of installing the device. This is a way to get rid of any low-quality keys inherited by default. 

2015/08/31

La France, cible prioritaire des attaques DDoS en 2015 selon Kaspersky Lab

La France, cible prioritaire des attaques DDoS en 2015 selon Kaspersky Lab | UnderNews

Voila une information qui ne va pas rassurer les professionnels de l’Internet en France… Et pour cause, l’éditeur de solutions de sécurité russe Kaspersky Lab a publié une étude plaçant la France en première place du podium en termes d’attaques DDoS en Europe lors du second trimestre 2015.

Les trois quarts des ressources attaquées au deuxième trimestre de 2015 par des botnets se situent dans 10 pays seulement, selon les statistiques du système Kaspersky DDoS Intelligence.

En tête du classement, les Etats-Unis et de la Chine enregistrent un grand nombre d’attaques à cause du faible coût d’hébergement de ces pays. Cependant, les changements dans les autres positions du classement et le nombre croissant de pays affectés par ce type d’attaque prouvent qu’aucun territoire n’est sécurisé face aux attaques DDoS. 

Faits clés : 
  • Le nombre de pays où les ressources attaquées ont été localisés a augmenté de 76 à 79 au cours du deuxième trimestre de 2015 ;
  • Dans le même temps, 72% des victimes se situaient dans seulement 10 pays ;
  • Cependant, ce chiffre a diminué comparé à la période précédente, avec 9 victimes sur 10 présentes dans le top 10 au premier trimestre. 
Répartition des cibles uniques des attaques DDoS par pays, Q2 vs. Q1 2015 



Le top 10 du deuxième trimestre incluait la Croatie, tandis que les Pays-Bas ont quitté le classement. La Chine et les Etats-Unis ont gardé leurs positions dominantes ; la Corée du Sud a fait descendre le Canada de sa troisième place. La cause en est une explosion des activités de botnets, la plupart ciblant la Corée du Sud. En outre, la proportion d’attaques localisées en Russie et au Canada a diminué comparé au trimestre précédent.

« Les techniques d’ingénierie sociale, l’apparition de nouveaux types d’appareils avec accès internet, les failles logicielles et la sous-estimation de l’importance d’une protection anti-malware ont contribué à la diffusion des botnets et à l’augmentation du nombre d’attaques DDoS. Par conséquent, des entreprises complètement différentes peuvent être ciblées indépendamment de leur location, de leur taille ou de leur type d’activité. La liste des victimes protégées des attaques DDoS par Kaspersky Lab au second trimestre 2015 incluait des organisations gouvernementales, des institutions financières, des médias de masse et même des institutions éducatives » a commenté Evgeny Vigovsky, Directeur de Kaspersky DDoS Protection, chez Kaspersky Lab. 

Les statistiques de Kaspersky DDoS Intelligence ont également montré des changements significatifs dans la quantité d’attaques DDoS basées sur des botnets à travers le temps : 
  • Une forte augmentation du nombre d’attaques a été observée dans la première semaine de mai, tandis que la fin du mois de juin montrait la plus faible activité ;
  • Le pic d’attaques par jour (1960) a été enregistré le 7 mai ;
  • Le jour le plus « calme » a été le 25 juin avec seulement 73 attaques enregistrées ;
  • Dans le même temps, la plus longue attaque DDoS du trimestre a duré 205 heures (8,5 jours).
Concernant la technologie sur laquelle sont basées les attaques, les cybercriminels impliqués dans le développement de botnets DDoS investissent de plus en plus dans la création de botnets d’appareils de systèmes de réseaux comme les routeurs et modems DSL. Ces changements annoncent sûrement une augmentation du nombre d’attaques DDoS utilisant des botnets à l’avenir. 

Kaspersky DDoS Intelligence Report Q2 2015

Pour en apprendre plus sur les principes qui sous-tendent Kaspersky DDoS Protection, vous pouvez consulter ce document. La version complète du rapport sur les données reçues du système de surveillance Kaspersky DDoS Intelligence est disponible sur Securelist.com

Attaques DDoS – Une problématique d’envergure

Ce type de cyberattaque est aujourd’hui simple à mettre en place et peut coûteux. Ces points sont les principales raisons qui font que le DDoS est en vogue. Malheureusement, les DDoS font des ravages assez facilement, anéantissant n’importe quel business dans un laps de temps assez ridicule… Comble du comble, les mesures de protection contre ce type d’attaque sont hors de prix, alors que les outils d’attaques sont très peu cher et largement accessibles à tous.

Par ailleurs, une technique de chantage de plus en plus exploitée par les cybercriminels aux USA a mené le CERT USA à lancer une alerte sur l’extorsion de fonds touchant les entreprises, le 17 août 2015. Et idem du côté de l’Internet Crime Center (IC3).

Loi de Murphy de Moore

Loi de Murphy de Moore




2015/07/27

New research: Comparing how security experts and non-experts stay safe online

Google Online Security Blog: New research: Comparing how security experts and non-experts stay safe online

Today, you can find more online security tips in a few seconds than you could use in a lifetime. While this collection of best practices is rich, it’s not always useful; it can be difficult to know which ones to prioritize, and why.

Questions like ‘Why do people make some security choices (and not others)?’ and ‘How effectively does the security community communicate its best practices?’ are at the heart of a new paper called, “...no one can hack my mind”: Comparing Expert and Non-Expert Security Practices” that we’ll present this week at the Symposium on Usable Privacy and Security.

This paper outlines the results of two surveys—one with 231 security experts, and another with 294 web-users who aren’t security experts—in which we asked both groups what they do to stay safe online. We wanted to compare and contrast responses from the two groups, and better understand differences and why they may exist.

Experts’ and non-experts’ top 5 security practices

Here are experts’ and non-experts’ top security practices, according to our study. We asked each participant to list 3 practices:



Common ground: careful password management

Clearly, careful password management is a priority for both groups. But, they differ on their approaches.

Security experts rely heavily on password managers, services that store and protect all of a user’s passwords in one place. Experts reported using password managers, for at least some of their accounts, three-times more frequently than non-experts. As one expert said, “Password managers change the whole calculus because they make it possible to have both strong and unique passwords.”

On the other hand, only 24% of non-experts reported using password managers for at least some of their accounts, compared to 73% of experts. Our findings suggested this was due to lack of education about the benefits of password managers and/or a perceived lack of trust in these programs. “I try to remember my passwords because no one can hack my mind,” one non-expert told us.

Key differences: software updates and antivirus software

Despite some overlap, experts’ and non-experts’ top answers were remarkably different.

35% of experts and only 2% of non-experts said that installing software updates was one of their top security practices. Experts recognize the benefits of updates—“Patch, patch, patch,” said one expert—while non-experts not only aren’t clear on them, but are concerned about the potential risks of software updates. A non-expert told us: “I don’t know if updating software is always safe. What [if] you download malicious software?” and “Automatic software updates are not safe in my opinion, since it can be abused to update malicious content.”

Meanwhile, 42% of non-experts vs. only 7% of experts said that running antivirus software was one of the top three three things they do to stay safe online. Experts acknowledged the benefits of antivirus software, but expressed concern that it might give users a false sense of security since it’s not a bulletproof solution.

Next Steps

In the immediate term, we encourage everyone to read the full research paper, borrow experts’ top practices, and also check out our tips for keeping your information safe on Google.

More broadly, our findings highlight fundamental misunderstandings about basic online security practices. Software updates, for example, are the seatbelts of online security; they make you safer, period. And yet, many non-experts not only overlook these as a best practice, but also mistakenly worry that software updates are a security risk.

No practice on either list—expert or non-expert—makes users less secure. But, there is clearly room to improve how security best practices are prioritized and communicated to the vast majority of (non expert) users. We’re looking forward to tackling that challenge.

2015/07/10

OpenSSL CVE-2015-1793 (cert. verification bug) – what you need to know


If you have anything to do with web security, like we do, you've probably been in "bated breath" mode this week.

That's because the OpenSSL team announced, on Monday 2015-07-06, that it had a "high severity" update coming out in three days' time, meaning today, Thursday 2015-07-09:"
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p.
These releases will be made available on 9th July. They will fix a single security defect classified as "high" severity. This defect does not affect the 1.0.0 or 0.9.8 releases.
And that's all she wrote.

What is OpenSSL?

OpenSSL is a very widely used internet security toolkit that implements a cryptographic security protocol called TLS/SSL, and puts the "S" in HTTPS for a great many websites.
OpenSSL is also widely known because of the Heartbleed vulnerability, uncovered in 2014.
Heartbleed meant that almost anyone with an internet connection could suck secret data out of your servers at will, without actually needing to break in or even to do any sort of hacking.
To trigger the Heartbleed bug, you merely asked the server to send you a so-called keep-alive message.
A keep-alive system is an uncontroversial feature that many internet protocols support, because keeping an existing connection going is a lot less complicated than starting a new one.
Keep-alives are a bit like those short conversations about not very much that you have every now and then when you're travelling in a car at night, just to make sure the driver's still alert.
The Heartbleed problem was that you could ask the server to send you a keep-alive response that was much larger than the memory buffer it was using to process your keep-alive message, and it would happily oblige.
So, you'd receive a reply that included your message, followed by random extra stuff out of server memory that you weren't supposed to see.
Most of it would be harmless, but every now and then you might get hold of snippets of other people's traffic, passwords, encryption keys, and more.

Waiting for the fix

These historical facts – the prevalence of OpenSSL and bad memories of Heartbleed – meant that OpenSSL's terse email notification on Monday wasn't very comforting.
Why an update just for a single security hole? How "high" was the high severity?
Was this going to be a denial-of-service bug? Or would it be a data leakage hole, like Heartbleed?
Or a full-on remote code execution flaw that would allow outsiders to run commands on your server as if they were actually logged in to your network?
More specifically, would all sub-versions of OpenSSL in the 1.0.1 and 1.0.2 series be at risk, or would some releases turn out to be OK?
How to prepare for what was coming on Thursday?

The flaw

The update is out, and our verdict is that the bug isn't as bad or as widespread as we feared at first.
Nevertheless, if you're vulnerable, you need to act.
Simply explained, CVE-2015-1793 is a certificate verification flaw.
This means that crooks who can lure or misdirect you to a bogus website (or email server, or indeed any internet service using TLS/SSL for its security) may be able trick you into thinking that you are somewhere legitimate and secure.
As you probably know, TLS/SSL relies on a "chain of trust" formed by cryptographic certificates.
This chain of certificates reassures you that the secure website you are visiting really does belong to the organisation you expect.
Here's an example we've used before, based on Naked Security itself:


Naked Security's certificate is owned by Sophos; Sophos's right to represent itself as Naked Security is vouched for by GlobalSign; and GlobalSign's right to vouch for Sophos is vouched for by Firefox.
If crooks created their own certificate claiming to be Sophos, and used it to vouch for a fake version of Naked Security, they'd almost certainly come unstuck.
Your browser would complain: the certificate presented by the crooks wouldn't be vouched for by any trusted certificate authority (CA).
You'd see a warning like this:


→ Wrongly-signed certificates do turn up from time to time, and can cause serious security problems. Bad certificates are often down to an insecure, venal orincompetent CA. CAs who don't take security seriously are usually thrown out by the major browser makers, thus effectively cancelling all certificates they've signed. The errant CA will be expected to show strong reasons before it will be trusted again.

Effects of the bug

This latest bug in OpenSSL means that a crook may be able to create a certificate in someone else's name, and then to sneak it past OpenSSL's certificate verifcation process without without triggering a warning, even though the certificate isn't signed by a trusted CA.
That makes a man-in-the-middle (MiTM) attack feasible, where a crook intercepts your traffic, say to a social networking site; feeds you a fake login page with a fake HTTPS certificate; and convinces you to give away your password because the warnings that ought to prevent the phishing deception never show up.

How big is the risk?

Fortunately, the scope of this bug is narrower than we feared after reading Monday's OpenSSL advisory.
First, this bug doesn't give cybercrooks the ability to steal data or break into your servers directly, because:
Crooks can't bleed confidential data from your server at will, as with Heartbleed.
Crooks can't sniff (record) arbitrary network traffic and crack the TLS encryption later.
Crooks can't send malformed data packets and break into your web, email, or other OpenSSL-protected servers.
Second, only four of the many officially-supported OpenSSL versions are affected:
Versions 1.0.2b and 1.0.2c need updating to 1.0.2d. (The -a and -b sub-versions are immune.)
Versions 1.0.1n and 1.0.1o need updating to 1.0.1p. (Sub-versions up to and including -n are immune.)
All 0.9.8 versions are immune.
All 1..0 versions are immune.
Third, most servers (unless they connect to other servers, or do reverse certificate verification of clients, which is rare) are not affected, because this certificate trickery affects the client that is connecting, not the server it is connecting to.
Fourth, all the Big Four web browsers – Internet Explorer, Firefox, Safari and Chrome – do not use OpenSSL and are therefore immune.

What to do?

Many products other than web browsers, including software updaters, RSS feed readers, scripting tools and email clients, not only use TLS/SSL but may include code from OpenSSL.
These may need updating.
If you aren't sure, ask the maintainers (for open source products) or your vendor (for commercial software) to tell you whether they use OpenSSL, and whether the products needs updating.

What about Sophos products?

The good news is that Sophos products are not at risk from this bug.
Only the current pre-release version of Sophos Management Communication System (MCS 3.0.0 Beta) includes an affected version of OpenSSL.
However, MCS does not use the buggy part of the OpenSSL code, so cannot fall foul of the bug. (Nevertheless, we expect to update MCS 3 Beta with the latest OpenSSL version by mid-August 2015.)
All other Sophos product families either don't use OpenSSL at all, or use one of the unaffected versions.
This list includes: Sophos UTM, Sophos Secure Web Gateway, Sophos Secure Email Gateway, PureMessage for Unix/Linux, Sophos Antivirus/Sophos Endpoint Protection, Sophos for vShield, Sophos Cloudand Sophos Mobile Control (server and mobile apps).

2015/07/08

Alerte rouge : une autre vulnérabilité critique dans OpenSSL


Le projet OpenSSL demande de se préparer à la proche venue d'un patch pour combler une vulnérabilité de sécurité à l'importance jugée élevée.
Mystère et boule de gomme mais le projet OpenSSL tient en alerte les administrateurs système et développeurs. Le 9 juillet, il y aura la publication d'un patch afin de corriger une vulnérabilité de sécurité dont l'indice de gravité est au plus haut.

OpenSSL est la fameuse bibliothèque open source de chiffrement qui est largement utilisée pour les communications Internet avec les protocoles SSL / TLS. Le Web garde encore en mémoire l'affaire de la faille dite Heartbleed divulguée l'année dernière.

Puis il y a eu POODLE quelques mois plus tard et ce avant FREAK. Pas encore de petit nom anxiogène pour la prochaine grosse faille dans OpenSSL… et c'est peut-être un bon signe.

Le projet OpenSSL indique que des mises à jour pour les versions 1.0.1 et 1.0.2 d'OpenSSL seront publiées jeudi prochain afin de combler la mystérieuse vulnérabilité. Respectivement, elles prennent actuellement en charge TLS v1.1 et TLS v1.2. Il faudra alors compter sur une bonne réactivité des administrateurs système et développeurs.

À ce stade, le seul véritable indice est qu'une vulnérabilité de sécurité à l'importance élevée peut couvrir des problèmes comme un déni de service pour un serveur, une fuite de mémoire significative et une exécution de code à distance. Suspense…

2015/07/06

Les heures propices pour bosser en open space

Les heures propices pour bosser en open space | CommitStrip




The top three banking malware families

The top three banking malware families

The primary motivator behind banking malware attacks is to capture credentials, financial data, and personal information from employees, and partner company employees, across industries. Then apply this stolen information in fraudulent wire transfers or fake automated clearing house (ACH) transactions to steal funds.


SecurityScorecard sinkholes found 11,952 infections affecting 4,702 organizations and identified the top banking malware families to be Dridex, Bebloh and TinyBanker:
These malware families are simple in functionality which is proving to be more profitable than more complex techniques and methods, such as taking antiquated, bloated code bases from third party malware coders.
Dridex is the most prolific Trojan being circulated within the corporate sector.
The use of banking malware is not limited to large financial institutions, though they remain the primary targets.
Dridex spreading campaigns appear to be orchestrated by more advanced actors with an interest in targeted attacks.
The healthcare industry experienced lowest rate of Bebloh infections, but did not experience the same rate of infection as other industries.
"Security awareness and education is never enough. The evolving tools, techniques, and procedures that are continuously honed by malicious actors make it nearly impossible for every individual in an enterprise to be aware of the latest attack method," said Alex Heid, Chief Research Officer of SecurityScorecard. "To prevent financial losses from an attack, businesses need a closed loop of communication between partners, suppliers, and all third parties that are impacted by banking malware. It is critical that companies think about their collective information security ecosystem when gauging their own security risk."

The top three banking malware families being captured are all direct variants of Zeus, or mimic Zeus-like functionalities. These malware attacks are the preferred method of obtaining stolen credentials, especially when traditional attacks on web applications or network-based attacks are being monitored by internal security teams.


2015/05/19

Every 4 Seconds New Malware Is Born

Every 4 Seconds New Malware Is Born



New research data out today shows that the rate of new malware variants released by malicious attackers continues to break records. According to the G DATA SecurityLabs Malware Report, new malware types were discovered less than every four seconds and 4.1 million new strains were found in the second half of 2014, an increase of close to 125 percent over the first half. Over the course of the entire year, nearly 6 million new malware strains were discovered. This is a 77 percent increase over 2013.
The data shows that in the second half of 2014, Trojans still remained atop the categories tracked by G DATA researchers, but could be on pace to be supplanted by adware. Adware showed the highest rate of growth among all of the malware categories, at a rate of 31.4 percent. While the number of new downloaders was on the rise during the second half, adware's growth rate outpaced that rise to take over the number two spot on the malware category chart. Meanwhile, spyware increased in prevalence while backdoors decreased, putting them in the number four and five spot, respectively.
Interestingly, while rootkits ranked ninth in the categories list, the second half of the year saw a huge spike in their prevalence. The report showed that there were 18 times more new variants than in the first half of 2014.
Specifically within the Trojan market, researchers reported that the second half of the year was novel in that there were no significant innovations compared to previous years.
"In the past, more and more new Trojans have been appearing very quickly in this sector over the years, with new groups in the background using new attack methods. However, in recent months there have been few changes to report," the study said, explaining that in spite of this the volume of attacks is still rising. According to G DATA, the number of banking Trojan attacks rose by 44.5 percent.
The authors speculated that the banking Trojan market seems to have consolidated due to a number of reasons.
"Improved security measures by banks are making it more and more difficult for online bank robbers to get money from bank customers," explains Ralf Benzmüller, head of G DATA SecurityLabs.
Some of the factors at play include an increase of criminal prosecutions against attackers, improved two-factor authentication measures and greater dependence by banks on anomaly detection to reduce fraud. As researchers explained, there's an increased risk for criminals and fraud takes more effort for lower yield. There's also a higher barrier to entry as attacks take "a certain amount of expertise and infrastructure" to carry out.

2015/05/18

High-level, state-sponsored Naikon hackers exposed


The activities of yet another long-running apparently state-sponsored hacking crew have finally been exposed.

The Naikon cyber-espionage group has been targeting government, military and civil organisations around the South China Sea for at least five years, according to researchers at Kaspersky Lab.
The Naikon attackers appear to be Chinese-speaking and chiefly interested in top-level government agencies and civil and military organisations in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal.
The group relies on standard cyber-spy tactics: custom malware and spear phishing featuring emails carrying attachments designed to be of interest to the potential victim. This attachment might look like a Word document, but is in fact an executable file with a double extension.

Naikon has developed platform-independent code and the ability to intercept the entire network traffic, marking them out as more capable than the norm.
The remote access trojan routinely used by the crew comes with 48 commands, including instructions for downloading and uploading data, installing add-on modules or working with the command line.

Each target country has a designated human operator, whose job it is to take advantage of cultural aspects of the country, such as a tendency to use personal email accounts for work.
As well as this social engineering to fine-tune targeting, the group also routinely places its hacking command and control infrastructure (a proxy server) within the country’s borders to facilitate real-time connections and data exfiltration.

The tactic means that suspicious traffic is not travelling outside a target's country and is therefore less likely to be flagged as potentially dodgy and subjected to further scrutiny.
"The criminals behind the Naikon attacks managed to devise a very flexible infrastructure that can be set up in any target country, with information tunnelling from victim systems to the command centre," explained Kurt Baumgartner, principal security researcher at Kaspersky Lab. 
"If the attackers then decide to hunt down another target in another country, they could simply set up a new connection. Having dedicated operators focused on their own particular set of targets also makes things easy for the Naikon espionage group."
The Naikon crew recently locked horns with Hellsing, another cyberspy group. The incident prompted Kaspersky Lab researchers, who were already looking into Hellsing, to cast their attention towards Naikon.

A full write-up of Kaspersky's findings on the Naikon cyberspies can be found in a blog post here.

Le plus gros problème des voitures autonomes



Hacker 3D prints device that can crack a combo lock in 30 seconds


A California hacker who has become an expert in cracking locks has invented a 3D-printed machine that can crack a rotary combination lock in around 30 seconds – and he's released the plans, 3D models, and code as open source.


A few weeks ago, Samy Kamkar told the world about a manufacturing flaw in Master Lock combination locks that reveals the combination by measuring how the dial interacts with the shackle. It's a moderately tricky thing to do, requiring some software, so now he's mechanized the process with the Combo Breaker device.
The Combo Breaker uses a stepper motor to rotate the Master Lock combination dial, a servo motor to try and open the mechanism, an Arduino chip to run the software, and 3D printed parts to house the lock and ensure a firm fit with the dial controller.
If you merely slip a Master Lock into the device and set it running, the Combo Breaker will take about five minutes to find the combination – which is worrying, but not very useful if you're trying to, for example, break into someone's high school or gym locker.
But if you use Kamkar's earlier method to "prime" the device by finding the first digit of the combination by hand – something that's relatively easy to do – then the Combo Breaker can do the job in 30 seconds or less. That's quick enough to be a serious problem in the right circumstances (and the wrong hands).
Before you start panicking, Kamkar tested the device on a cheaper version of the Master Lock combination dial mechanism. The company makes tougher rotary combo locks and the Combo Breaker isn't guaranteed to work on all of them.
This isn't not the first time Kamkar has caused a ruckus; he's been a major disruptive force in the tech industry for a while now. At 18, he co-founded Fonality, a multimillion dollar communications company, but then got seriously into hacking.
When he was 20, Kamkar created the Samy worm and released it onto MySpace, forcing the site to shut down temporarily. The worm was one of the fastest-spreading in history, and although it didn't carry a malicious payload, it still earned him a visit from US law enforcement and a felony charge of computer hacking.
Since then he's demonstrated critical weaknesses in near-field communications and RFID chips, discovered a major flaw in PHP, and learned how to hijack drones in mid-flight. He's a regular at the hacking conference circuit and is now an independent security consultant.

2015/05/13

DDoS Botnet Leverages Thousands of Insecure SOHO Routers

DDoS Botnet Leverages Thousands of Insecure SOHO Routers

Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials.

A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.

Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014.

Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world.

Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.

This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers.

What’s revealed in the close inspection?

However, this assumption was proved wrong when inspected deeply, revealing that…
All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)
Almost all of those accounts continued to make use of vendor-provided login credentials

This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.

Router makers design their devices in such a way that it can be easily connected, and therefore they give each user the same administrator credential, without giving any warning to change the default credentials. Moreover, instead of allowing users to turn on remote administration, the manufacturers make it on by default.

"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators," researchers wrote. "Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices."

A variety of DDoS malware involvement

The security firm also discovered a variety of DDoS malware programs, including MrBlack, Dofloo, and Mayday, installed on the insecure devices in order to attempt other malicious tasks such as:
  • Redirect victims to malicious websites
  • Intercept victims’ online banking sessions
  • Inject rogue and malicious advertisements into the victim's Web traffic
  • Steal login credentials for various online accounts
  • Perform other illegal activities

The question remains — Who is behind this botnet?

Researchers found some indirect evidence correlating the router-based botnet to a notorious hackers group called Lizard Squad, a group that has used compromised routers to launch DDoS attacks against Sony's PlayStation and Microsoft's Xbox networks.

Back in January, Lizard Squad set up a DDoS-for-hire service called Lizard Stresser that was using hacked home routers. However, Incapsula believes that it’s not Lizard Stresser because it is powered by different malware programs.

The botnet comprises devices in 109 countries, with Thailand (64 percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.

The bottom line

Users should also keep in mind the safety of their devices by making sure that they:
  • Disable all remote access to the devices unless it's specifically needed
  • Change the default login credentials for their routers to prevent unauthorized access
  • Router firmware is up-to-date

Compromised routers are not at all new. Some manufacturers, including Linksys, Asus, D-Link, Micronet, Tenda, and TP-Link, have been known to be vulnerable. Incapsula has informed specific routers manufacturers and the relevant ISPs about the insecurity of the routers they market.

Quand un logiciel ne vient pas seul


2015/04/30

Piratage d'un avion ? Précisions sur la menace

Le FBI vient de publier une alerte à l’intention des compagnies aériennes leur demandant de scruter les tentatives de connexions aux réseaux embarqués dans les avions.

Il y a quelques jours, le chercheur en sécurité Chris Roberts est arrêté par le FBI à sa descente d’un vol sur la compagnie aérienne United. Ses appareils informatiques et de stockage (MacBook Pro et iPad) lui sont confisqués et l’homme est interrogé pendant quatre heures. La raison est simple, durant un vol entre Denver et Syracuse, état de New York, ce spécialiste de la sécurité des avions affirme qu’il s’est connecté à plusieurs réseaux de l’appareil à l’aide de la connexion WiFi proposée en vol. Système d’alertes, informations sur les températures, niveaux de carburant, pression d’huile, etc. Tout était à sa portée.
Le White Hat n’hésite pas à tweeter sa découverte en ironisant sur la situation et informe dans un même temps les autorités du problème. Chris Roberts n’a pas pris le contrôle de l’avion mais il rend public la vulnérabilité des réseaux embarqués dans les appareils en vol, une situation qu’il ne cesse de dénoncer depuis pas moins de 5 ans et pour laquelle il n’a jamais reçu la moindre réponse de la part desdites compagnies aériennes.

Le FBI prend la menace au sérieux
Quelques jours plus tard, alors qu’il doit se rendre à la conférence RSA se tenant à San Francisco, il se voit interdire l’accès au vol United et on lui explique que la raison de ce refus lui sera expliquée ultérieurement via un message électronique. Il est évident que cette décision plutôt ridicule est liée à son précédant piratage du réseau et au tweet qui l’incrimine qui s’en est suivi…
L’entreprise aérienne fait preuve d’aucune reconnaissance pour le travail du chercheur en sécurité, alors que ce dernier devrait permettre de rendre plus sûr les réseaux des compagnies aériennes. Pourquoi ne pas vouloir éviter ou tout du moins diminuer une attaque potentielle via ce biais ? Chris Roberts a indiqué s’être connecté des dizaines de fois aux réseaux internes de l’appareil et avoir à maintes reprises prévenu Airbus et Boeing de ses découvertes. 
 Finalement, l’interrogatoire par les autorités a peut-être été utile puisque le FBI vient de notifier aux compagnies aériennes de se méfier des tentatives d’intrusion dans les réseaux informatiques embarqués dans les appareils. La police américaine insiste sur le fait qu’elle n’a actuellement pas d’information techniques ni de recul quant à la possibilité qu’un attaquant puisse prendre le contrôle du système de navigation d’un avion via le réseau WiFi ou IFE (In Flight Entertainment) des passagers, mais elle affirme prendre la menace au sérieux et cherche à évaluer s’il s’agit d’une menace crédible ou non. Elle demande donc au personnel embarqué de regarder attentivement durant les vols si des passagers tentent de se connecter aux ports réseaux qui sont situés sous leurs sièges. 

Des instructions précises
Le bulletin d’alerte décrit précisément les signaux auxquels les membres d’équipage doivent être attentifs : tentative de connexion d’un câble au système IFE de l’appareil, tentative de retirer les couvercles de protection des ports réseaux, messages sur les réseaux sociaux avec des références menaçantes sur les réseaux de contrôle du trafic, de fonctionnement de l’appareil, analyse des logs réseaux pour s’assurer qu’aucune activité suspecte comme le scan du réseau ou une tentative d’intrusion ait pu se dérouler, etc.

Ce qui n’est pas dit dans les fiches de poste de codeur (mais qu’il faut quand même maîtriser)

Ce qui n’est pas dit dans les fiches de poste de codeur (mais qu’il faut quand même maîtriser)




Google Online Security Blog: Protect your Google Account with Password Alert

Google Online Security Blog: Protect your Google Account with Password Alert

Would you enter your email address and password on this page?



This looks like a fairly standard login page, but it’s not. It’s what we call a “phishing” page, a site run by people looking to receive and steal your password. If you type your password here, attackers could steal it and gain access to your Google Account—and you may not even know it. This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.

To help keep your account safe, today we’re launching Password Alert, a free, open-source Chrome extension that protects your Google and Google Apps for Work Accounts. Once you’ve installed it, Password Alert will show you a warning if you type your Google password into a site that isn’t a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice.

Des pirates informatiques volent 5 millions de dollars à Ryanair

Des pirates informatiques volent 5 millions de dollars à Ryanair

Un peu moins de 5 millions de dollars (4,5 millions d'euros) ont été dérobés d'un des comptes de la compagnie aérienne à bas coûts Ryanair. Selon la société irlandaise, des pirates informatiques se seraient emparés de la somme par « un transfert électronique frauduleux passé via une banque chinoise ».

2015/04/29

70 ans de menaces informatiques

70 ans de menaces informatiques

Sécurité : Depuis les premiers « phreakers », qui pirataient les lignes téléphoniques, jusqu'à Heartbleed, qui a semé la panique sur le web, la menace informatique a évolué au fil des années. À mesure que la sécurité progresse, les pirates innovent.




2015/04/28

Combien de feuilles de papier pour imprimer tout Internet ?

Combien de feuilles de papier pour imprimer tout Internet ?

Il y a les questions existentielles auxquelles certains éminents spécialistes peuvent vouer leur vie et il y a ces questions totalement insolites qui ont au moins le mérite d'être posées. Et la réponse est souvent assez impressionnante. Petite question du jour donc, combien de feuilles de papier faudrait-il pour imprimer tout l'Internet ?

Des pirates russes ont lu des mails classifiés d'Obama

Des pirates russes ont lu des mails classifiés d'Obama | UnderNews
"L’enquête sur une attaque informatique révélée en octobre dernier montre que des pirates informatiques russes ont pu accéder à des messages électroniques classifiés du président américain Barack Obama.  Le New York Times vient de rapporter l’information."

La vérité est dans le commit | CommitStrip

Source: La vérité est dans le commit | CommitStrip - Blog relating the daily life of web agencies developers

2015/04/27

Google Online Security Blog: A Javascript-based DDoS Attack as seen by Safe Browsing

To protect users from malicious content, Safe Browsing’s infrastructure analyzes web pages with web browsers running in virtual machines. This allows us to determine if a page contains malicious content, such as Javascript meant to exploit user machines. While machine learning algorithms select which web pages to inspect, we analyze millions of web pages every day and achieve good coverage of the web in general.
In the middle of March, several sources reported a large Distributed Denial-of-Service attack against the censorship monitoring organization GreatFire. Researchers have extensively analyzed this DoS attack and found it novel because it was conducted by a network operator that intercepted benign web content to inject malicious Javascript. In this particular case, Javascript and HTML resources hosted on baidu.com were replaced with Javascript that would repeatedly request resources from the attacked domains.

Source: Google Online Security Blog: A Javascript-based DDoS Attack as seen by Safe Browsing