Diario de Seguridad Informática
Blog dedicado a informar sobre los avances y novedades relacionados con la seguridad informática en todos sus aspectos, con el objetivo de mantener a toda la comunidad IT al día.
jueves, 28 de octubre de 2010
Koobface llega a Mac OS y Linux
En el día de hoy se ha detectado una nueva campaña de propagación de Koobface, que tiene la particularidad de afectar a Mac OS y Linux, además de Windows. El troyano llega al usuario a través de mensajes en diversas redes sociales (Facebook, MySpace, Twitter) con la leyenda “Is this you in this video?” (en español, “¿Sos vos en este video?“). Si el usuario visita el enlace observará una pantalla simulando un video multimedia online, y se intentará ejecutar un applet de Java, lo que en los casos de muchos usuarios será alertado por el navegador. El applet no es parte de la ejecución de un video (de hecho, no hay ningún video que mostrar, es sólo un engaño, parte de la Ingeniería Social), sino que es directamente el código malicioso, una nueva variante de Koobface que aprovecha Java para poder ejecutarse en diversas plataformas.
Si se autoriza la ejecución del código Java, se descargarán archivos en una carpeta oculta (jnana), que incluyen un instalador que será ejecutado y posee las rutinas necesarias para instalar la amenaza tanto en Windows, en Linux y en Mac OS. Una vez en ejecución, las acciones del código malicioso son las mismas que las que ya conocemos de él en Windows: se ejecuta un servidor web y un servicio IRC en el sistema, como parte de la botnet de la amenaza y a la espera de nuevas instrucciones; y se activan otras funciones como la propia propagación de la amenaza, generando mensajes en las redes sociales desde el sistema infectado del usuario.
Vale destacar que diversos investigadores han probado que la implementación de la amenaza en Mac OS aún no está completamente funcional, y en muchos casos al malware no logra instalarse correctamente, aunque sí es importante destacar que los creadores de Koobface ya están haciendo foco en el malware multi-plataforma, y podremos ver nuevas variantes similares en un futuro. En la siguiente imagen podemos ver la página fuente de la infección, a través de un sistema Linux, extraída de un interesante informe que incluye un video completo de la infección bajo la plataforma libre:
Los usuarios de ESET están protegidos, ya que las variantes de Koobface son detectadas por ESET NOD32 Antivirus, tanto en su versión para Windows, para Mac OS (disponible para licencias Business) o para Linux (aún en estado beta). Como medida adicional, para todos los usuarios, recuerden que la instalación del troyano utiliza Ingenieria Social, por lo que intenten evitar el acceso a sitios web que utilicen el mensaje indicado (o similares), y estén atentos a los sitios web que intenten ejecutar código Java en el sistema.
Autor: Sebastián Bortnik
Fuente: blogs.eset-la.com
Nuevamente saltean el bloqueo con código del iPhone
La vulnerabilidad fue publicada en el foro MacRumors por un usuario que descubrió una secuencia de teclas que volvió inútil el bloqueo con código.
Cuando su iPhone es bloqueado con un código de golpe de Llamada de Emergencia, entonces ingrese un número que no sea de emergencia tal como ###. Luego golpee el botón de llamada e inmediatamente el botón de bloqueo. Se deberá abrir la aplicación de Teléfono donde podrá ver todos sus contactos, llamar a cualquier número, etc.
No es la primera vez que el código de iPhone es deshabilitado con unos pocos golpes de tecla.
Fuente: Blogs ZDNet
jueves, 16 de septiembre de 2010
Seguridad inalámbrica: Cómo ayudar a los empleados a evitar peligros
Seguridad inalámbrica. Cómo ayudar a los empleados a evitar peligros
Los empleados están exponiendo información profesional y personal sin saberlo cuando ingresan en hot spots Wi-Fi públicos en hoteles, aeropuertos y cafeterías.De hecho, tal y como confiesa Ryan Crum, anterior director de seguridad de la información de PricewaterhouseCoopers Advisory Services, no es difícil ver números de la Seguridad Social sin proteger, datos financieros e información sobre fusiones y adquisiciones circulando en redes Wi-Fi públicas, sobre todo, en mensajes de correo electrónico.
Por eso, los expertos en seguridad recomiendan que los responsables de TI de las empresas tomen una serie de precauciones para proteger los datos corporativos de los peligros que les acechan en los puntos de acceso públicos.
Establecer y hacer cumplir fuertes políticas de autenticación para los dispositivos que intentan acceder a redes corporativas.
Pedir a los empleados utilizar una VPN corporativa y medidas de encriptación cuando hagan conexiones e intercambien datos. Mejor aún, configurar los equipos y otros dispositivos móviles de modo que se conecten automáticamente a la VPN y encripten los datos, eso sí, siempre después de que se haya determinado que el dispositivo no ha sido robado o se haya perdido.
Asegurarse de que todos los dispositivos y aplicaciones de software están configurados apropiadamente y cuentan con los parches de seguridad más recientes.
Confirmar que las políticas de seguridad corporativas prohíben a las personas transferir datos sensibles a dispositivos móviles o equipos no autorizados.
Novell debe venderse dentro de 4 semanas, indican los rumores
Fuente: http://www.linuxpreview.org/modules.php?name=News&file=article&sid=5369
martes, 14 de septiembre de 2010
Google Despide Ingeniero por Violar Políticas de Privacidad
Los empleados de Google deben comportarse de acuerdo a los lineamientos impuestos por la compañía en temas de confidencialidad, ética y estándares profesionales.
Por:Bill Coughran, Vice Presidente Senior, Ingeniería, Google Inc.
Fuente: http://googleamericalatinablog.blogspot.com/2010/09/google-despide-ingeniero-por-violar.html
Calculating the truecost of cybercrime
Market research company StrategyOne was commissioned by Symantec to study Internet users in fourteen different countries, and found that 65% of the 77,000 in the study had been personally victimized by cybercrime.
When you consider that viruses and malware are included, along with online scams, phishing attacks, hijacked accounts and intrusions, it's surprisingly that the percentage is that low. My guess is that many of the respondents have in fact had viruses or malware on their computers and didn't know it.
According to the survey, victims spent an average of 28 days and $334 repairing the damage done by cybercriminals. If you calculate that a victim's time is worth a modest $30 per hour, that's another $840, for a total average loss of well over $1000. Something the survey doesn't mention (and wouldn't be expected to, since it's sponsored by an anti-virus company) is the extra price we all pay for anti-virus, anti-malware, firewall and other security software and hardware as a result of cybercrime and our fear that we'll become victims if we don't implement those extra security measures. For many, that's another $50 or so plus $20-30 per year for the update subscription and although it can be lower (or nothing, if you use only free tools), it can also be a lot higher.
However, the true cost of cybercrime goes beyond the monetary loss.
Non-monetary costs
The Symantec survey, unlike most, attempted to delve into some of the hidden costs by asking victims about emotional impact. Not surprisingly, they found that most of the emotional reactions to being a cybercrime victim are similar to those experienced by victims of other crimes such as burglary. Victims reported feeling angry, annoyed, and cheated, and had little hope that their attackers would be caught and punished. Experiencing cybercrime is, after all, very similar to being burglarized or vandalized. When someone else enters your space - whether it's your home or your computer - and takes or damages your property, you feel violated.
Most victims of personal crime also experience another emotion that the survey apparently didn't ask about: fear - sometimes bordering on paranoia - that it will happen again. Are cybercrime victims different in that respect? The survey showed that only a little over half said they would change their own behavior if they became victims of cybercrime. There are no details in this report as to exactly what behaviors they would change.
However, I've talked to some people - generally those who are less technically inclined - who have changed their online behaviors drastically after being victimized. Some have gone so far as to stop using the computer for any sort of financial transactions - online purchasing, banking, etc. This is especially true of those who have been victims of identity theft. That's true even though, according to a Forbes article earlier this year, the average cost of identity theft to individuals has declined because the financial institutions are picking up more of the tab.
Of course, it would be naïve to think that the consumers don't end up bearing at least some of this cost in the form of high fees and interest rates that those institutions charge to cover this cost of doing business - while those institutions write off the losses on their corporate taxes.
Suffering in silence
Perhaps one of the most interesting findings in the Symantec study was that less than half of those victimized by cybercriminals - only 44% - reported the crimes to law enforcement. We can only speculate about the reasons for that, but based on studies of other types of crime victims, I'd guess some or all of the following apply:
- They don't trust police and don't have any faith that anything will be done if they do report it.
- They don't want to spend even more of their time filling out forms and talking to law enforcement personnel and generally dealing with the "hassle factor" involved in reporting.
- They don't think the crime is serious enough or significant enough or their losses large enough to warrant taking up the time of law enforcement.
- They don't want to think of themselves as victims and are in denial.
- They don't want others to know they were victimized because they think it makes them look weak or stupid (or in the case of businesses, will cause them to lose clients because the clients won't trust them to be able to adequately protect client data).
- They blame themselves for not having bought that firewall or anti-malware program or for clicking on that link or visiting that web site or lowering their computer's security settings to make it easier for them to access what they wanted.
Burglary victims often hold the same belief that police won't or can't pursue the criminals who broke into their homes and will do nothing more than take and file a report. However, they are more likely to report the crime because they may need a police report on record to collect insurance, and because they do believe the police may step up patrols in the area and thus help prevent it from happening again.
Loss of data or damage to computer software caused by cybercriminals is usually not covered by insurance, and there's not much police can do to protect victims from further incidences. If victims do report the crime, and nothing comes of it, this tends to further reduce their faith in the criminal justice system and may deter them from reporting other, more serious crimes in the future. The "hassle factor" issue goes hand-in-hand with this; victims would be more willing to spend the time and deal with the bureaucracy if they believed it would result in the criminal being brought to justice.
In many cases, the monetary loss due to cybercrime - such as the value of time spent reformatting a drive, reinstalling an operating system, and restoring data from backup - is difficult to determine. Even when there is a direct monetary loss, as in the case of identity theft, it may be delayed or it may be difficult to prove that the identity theft was linked to the Trojan or network intrusion; it seems likely, but might not be provable.
Some people deal with crime - even far more personal crimes such as assault and rape - by trying to put it out of their minds completely and pretending it never happened. Reporting it to the police makes it indisputably real. And even if they acknowledge to themselves that they've been victimized, they may not want anyone else to know about it because they believe it diminishes them in others' eyes. It's embarrassing, even humiliating, to admit that a cybercriminal got the best of you.
Self-blame is commonly seen in rape victims, but also in victims of burglary, robbery and theft. When it comes to cybercrime, all the warnings about what can happen and admonitions to protect yourself are well intended and useful, but also contribute to the tendency of victims to feel guilty or "stupid" for not having done enough to prevent it. People who feel guilty or think it's their own fault are less likely to report a crime. Thus if we want to encourage more reporting of cybercrime, it's important, when educating users about security, to word it in a way that doesn't denigrate them for failing to implement security measures that are strong enough.
Cost to business
The Symantec survey deals primarily with personal consequences of cybercrime. Although many individuals have valuable information on their computers, as well as personal data and financial data that can be exploited for identity theft, the exact value of that data is often difficult to quantify. It's easier in some ways to estimate the costs of cybercrime incidents to businesses.
InformationWeek Analytics' "Global Threat, Local Pain" report deals more with the effect of cybercrime on companies world-wide.
An interesting finding in that report (page 2) is that only a small percentage of time/staff resources is devoted to end user security awareness training (9% in 2009, 11% in 2010) and monitoring employee behavior (7% both years). Note that we're not sure about these numbers, though, since the total adds up to much more than 100%. In any event, this relatively small amount of time that focuses on users seems strange in light of the fact that (on page 6), authorized users/employees is seen as the second greatest threat, with 70%, after hackers (their term) at 77%.
The monetary cost of cybercrime to businesses varies widely, depending on which study you cite. In 2009, a McAfee study estimated the overall cost of cybercrime to be as much as $1 trillion on a global basis, based on a survey of CIOs in several countries.
A recent study conducted by Ponemon Institute for ArcSight and reported in Network World looked at forty-five organizations in the United States and found that average cost to an individual organization is $3.8 million per year. This number did not include the cost of preventative measures such as anti-virus and firewalls, but just direct costs of responding to, mitigating and cleaning up after an attack. Whereas the average time required was fourteen days, malicious insider attacks took up to forty-two days or more.
These direct costs are really only the tip of the iceberg, though. When a company falls victim to a security breach, especially if it involves exposure of customer/client data, the cost to future business due to a damaged reputation is impossible to measure. And it's also important to recognize that in many cases, companies don't even know themselves that they've experienced losses due to malware, intrusions and other criminal activities because the attacks are designed to be surreptitious. Unlike the theft of a physical object, theft of data may go unnoticed if the original is left in place. These unnoticed losses may never be detected or reported.
Bringing the cost down
The answer to reducing the cost of cybercrime to all of us is simple: catch the criminals. Actually doing that is not so simple. Jurisdictional issues, privacy issues and anonymity, budget constraints and many other factors combine to make cybercrime enforcement difficult for law enforcement agencies. Few other types of crime can be committed from half way around the globe, without ever setting foot in the same country where your victim and the object of the crime are located. Better tracking of criminal activities generally also means more tracking of all Internet activity, and invasion of the privacy of legitimate Internet users. To many, that's too high a price to pay. And the monetary cost of enforcing laws in cases that span many miles add to the challenge for agencies facing tight budgets in a continuing weak economic climate.
Many of the resources allocated for fighting cybercrime are channeled into efforts to detect and prevent the most serious of cybercrimes, cyberterrorism. Because the potential losses from a successful cyberterrorist attack are so great and include loss of lives and disruption of society, it makes sense to make it a top priority. However, that means crimes that "only" involve loss of money may not get as much attention as the victims of those crimes would like.
Until these issues can be resolved, we'll keep addressing cybercrime in reactionary - rather than proactive - mode. And that means the criminals will stay one step ahead. In future columns, we'll look in more detail at these issues and possible solutions or workarounds for each. In the meantime, the victims and potential victims of cybercrime face a tough question: Are we willing to pay the price (both monetary and non-monetary) that would be required to bring more cybercriminals to justice?
Get IT tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic's free newsletters.
Fuente: http://blogs.techrepublic.com.com/security/?p=4438
Making Penetration Testers Lives Awful
Tenable, compañía que desarrolla el analizador de vulnerabilidades Nessus, ha publicado un artículo muy bueno con recomendaciones para protegerse de los métodos típicos usados por los Penetration Testers. Recomiendo leer el artículo completo: ACÁ