- Página Principal
- Glosario Seguridad Informática
- ICT Security - Seguridad Informática
- Especialización en Seguridad Informática - Pensum
- Computo Forense - Forensic Computing
- Ley de Delitos Informáticos. CO - Latam
- Colombia ViveDigital
- Programming - Software
- Imagine a world in which every single human being can freely share in the sum of all knowledge. (click here)
- Internet Security Privacy
- Deep Web
- Etica Hacker
- Software Libre
- CyberSecurity Links
- Declaración - ONU OSCE OEA
domingo, 25 de enero de 2015
jueves, 1 de enero de 2015
lunes, 22 de diciembre de 2014
National Cyber Awareness System:
12/19/2014 10:39 AM EST
Original release date: December 19, 2014 | Last revised: December 20, 2014
US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.
Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.
Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\hostname\admin$\system32” and “\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.
Technical and strategic mitigation recommendations are included in the Solution section below.
domingo, 2 de noviembre de 2014
Red Torcebook opens up to anonymous Tor users with .onion address.
Read more >
Links relacionados >
Links útiles : Internet Seguridad Privacidad / Internet Security Privacy
Antes de esto al intentar accesar una cuenta de Facebook desde la red Tor las medidas de seguridad de Facebook determinan como un intento de pirateo puesto que si yo de manera cotidiana entro desde Colombia y luego aparece un intento de acceso desde Estados Unidos o algún otro país alrededor del mundo ya era suficiente indicio de acceso malicioso además de otros aspectos considerados por facebook para la seguridad de sus cuentas por lo que el usuario se veía abocado a una serie de requisitos requeridos por facebook bastante engorrosos para poder accesar su cuenta.
Con esta nueva alternativa de facebook en el mundo del cifrado y del anonimato de la red Tor el usuario puede usar su cuenta sin inconvenientes.
Tor tiene muchísimos usos en la medida de cuántas necesidades tenga un ciber ciudadano y cuánto investigue y aprenda más allá de éstas inclusive. Tor ha sido usado, entre otras, para evadir la censura a sitios en la red desde algunas regiones del mundo. El mismo facebook ha sido censurado en naciones enteras y la red Tor un camino para llegar a él.
Las herramientas metodologías y estrategias para mantener en lo posible la privacidad, el anonimato y la seguridad en las comunicaciones son numerosas en busca de la perfección en este proceso y obedece a un continuo aprendizaje y una ecuación muy delicada para no resultar perjudicado por desconocimiento ante el imparable cambio en este cibersistema.
En cuanto a la informacón que transmitimos, herramientas fundamentales para el cifrado, producto del avance de la criptografía, digna hija de la criptologia, están a nuestro alcance. Pero debemos estar al tanto de su evolución pues algunas de ellas han quedado desvirtuadas y expuestas sus vulnerabilidades como fué en su momento el caso de TrueCryp.
Quizás alguno de ustedes ha oído decir que la privacidad y el anonimato en Internet son imposibles.
Pero por ejemplo ante el cibercrimen y sus estrategias y herramientas para robar información de tipo financiero, por citar algo, no podemos bajar la guardia y dejar de proceder mientras aquellos si se documentan y aprenden o contratan especialistas a su servicio para perjudicar a los usuarios desprevenidos y poco responsables con el cuidado de su información o la información de terceros.
La privacidad en internet es un derecho de todo ciberciudadano y el anonimato una de las formas de ejercer este derecho.
Asimismo la libertad de expresión y otros derechos debemos poder ejercer, garantizar y tener garantizados en la red.
Sin embargo personas de manera aislada o grupos con algún fin criminal, ideológico, religioso o político y hasta naciones y corporaciones atentan contra los derechos en la red y es por esto que uno de los recursos más conocidos para distintos perfiles de usuarios con distintos objetivos y vulnerabilidades es la red Tor.
Y ahora vemos cómo facebook se integra a la misma. Veremos dentro de algunos meses o años qué experiencias comparte Facebook acerca de este experimento. Y nosotros mismos!
viernes, 31 de octubre de 2014
jueves, 23 de octubre de 2014
National Cyber Awareness System:
10/22/2014 05:28 PM EDT
Original release date: October 22, 2014
Ransomware is a type of malicious software (malware) t. This Alert is the result of Canadian Cybse ation with thetes of HomelaDecurity (DHS) to provide further information about crypto ransomware, specifically to:
Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; andProvide prevention and mitigation information.
WHAT IS RANSOMWARE?
Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.
Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.
WHY IS IT SO EFFECTIVE?
The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:
“Your computer has been infected with a virus. Click here to resolve the issue.”“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
PROLIFERATION OF VARIANTS
In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.
Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.
LINKS TO OTHER TYPES OF MALWARE
Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.
Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:
Temporary or permanent loss of sensitive or proprietary information;Disruption to regular operations;Financial losses incurred to restore systems and files; andPotential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.Maintain up-to-date anti-virus software.Keep your operating system and software up-to-date with the latest patches.Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .
Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S.United States National Cybersecurity and Communications Integration Center, Cryptolocker RansomwareSophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left offSymantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One MonthSymantec, Cryptolocker: A Thriving MenaceSymantec, Cryptolocker Q&A: Menace of the YearSymantec, International Takedown Wounds Gameover Zeus Cybercrime Network
Initial Publication, October 22, 2014
domingo, 27 de abril de 2014
10 días para el DragonJAR Security Conference 2014 NO TE LO PIERDAS
sábado, 26 de abril de 2014
miércoles, 23 de abril de 2014
Echa un vistazo al Tweet de @heidybalanta: https://twitter.com/heidybalanta/status/458610797845815296
En los hackers dedicados a la labor ética también está la solución !!