Guerras cibernéticas

Estos días se habla mucho de un "malware" (pieza de Software de intenciones no muy católicas) llamado "The flame" (La llama). Es una especie rara de virus o ciber-arma, descubierto hace poco, cuyo fin es espiar. Por ejemplo, es capaz de realizar capturas de pantalla cuando aparecen determinadas aplicaciones, al igual que algunos troyanos bancarios, al mismo tiempo que puede conectarse por bluetooth con dispositivos externos o controlar algunos del PC como el micrófono p.e. Sorprende por su especialización. Aunque por lo que más destaca es por el GOL que le ha metido a todas las empresas de seguridad en la red y fabricantes de software de seguridad: Lleva años funcionando. De hecho, parece aprovechar una vulnerabilidad de Windows no conocida, ya que infecta un Windows 7 totalmente parcheado, sin problemas, poniendo, de esta manera, en evidencia el modelo y la manera de proteger actual.
Por otro lado, se habla de Irán y USA como posibles objetivos de esta herramienta, con un origen a priori situado en el oriente medio, y es capaz de robar capturas de pantalla, de audio, imágenes e incluso interceptar tráfico de red.
Es una herramienta modular, con un código que supera los 20 Mbytes, y de una complejidad no vista hasta ahora. Parece realizado por un equipo competente de gente, que sabe lo que quiere y cómo lo debe conseguir...
Por otro lado, siempre he pensado en la posibilidad de que algunos gobiernos presionen a empresas de Software o a algunas personas para crear puertas traseras en el Software, para control o utilización de éstas en un enfrentamiento armado o en una guerra fría, ya algo lejana parece... ¿O no? Este descubrimiento pone de manifiesto que internet es una parte más del tablero de ajedrez mundial, y que no tiene porque ser algo al margen de los servicios de inteligencia de los países. ¿Opiniones? ¿Estamos ante un desarrollo auspiciado por un servicio secreto de un país avanzado?¿Dónde está el límite?¿Estamos realmente protegidos o en manos de herramientas totalmente ineficaces ante este tipo de ataques?
Creo que conviene reflexionar profundamente ante este descubrimiento... ¿Es un caso extraordinario o la punta de un iceberg cuyo tamaño no alcanzamos a imaginar?

34 reasons why Bad guys are winning!

A good article I have read in ComputerWorld. Here comes a summary with this 34 reasons:

1. The game is rigged in favor of the bad guys: To avoid breaches, the good guys have to succeed 100% of the time. The bad guys only have to succeed once.


2. TCP/IP, the underpinning of the Internet was never designed with security in mind. Ditto Ethernet, the underpinning of almost all local area networks.


3. Internet User Guide: There is no User Guide to the Internet that lays out briefly and in simple language the obvious mistakes that should be avoided. Neither hardware manufacturers, nor ISPs, nor operating system vendors have bothered to offer a helping hand to their most clueless users. A pamphlet would be plenty.
   If it only covered the most basic things, that would still be a huge step up. Things like the dangers of clicking links in email messages or that when you are prompted to install software there's a good chance it's a scam. Mac users are just learning this last point the hard way. Welcome to the club. Back in February 2010 Microsoft employee and security expert Roger Grimes wrote: The majority of the risk is due to end-users intentionally executing socially engineered Trojans that show up as fake antivirus software, malicious video codecs, fake patches, and needed software drivers. Yes, good patching and strong passwords also help, but Trojan horse programs that your end-users (or friends or family) get tricked into installing are by far the most popular, successful threat.


4. The FROM address of an email address is easy to forge (see prior point) and too few people know this.


5. People are gullible.


6. SSL, the technology behind secure web pages, is a sham.


7. Home WiFi: People use WEP on their home WiFi networks. That Verizon continues to employ WEP for new customers is shocking. It should be illegal. WEP encryption is easily broken, unlike the two newer schemes WPA and WPA2. That said, even WPA and WPA2 can be hacked if the password is weak.


8. Public WiFi: People use unencrypted public WiFi networks without a VPN. You don't spit into the wind, you don't tug on Superman's cape and you shouldn't use unencrypted public WiFi networks without a VPN. It opens up a slew of potential problems.


9. Some files/data should never be accessible over the Internet. Yet, they often are.


10. The IT field changes very quickly: When faced with a medical problem, we often deal with a doctor with 10 or more years of experience in their specialty. Very few programmers have that much experience in the development environment they use. For example, no one on the planet has 10 years experience coding Android apps. Inexperience inevitably leads to rookie mistakes.


11. Too many corporate executives have no technical savvy. This leaves them susceptible to scams and handicaps their ability to judge the importance and effectiveness of the computer security at their company.


12. Small businesses have no computer techies on staff which makes them ripe for online banking fraud. Brian Krebs did a series of articles describing many instances of this.


13. Economics dictates that software will be buggy: Developers are paid to write applications that work and, often, that are finished ASAP. That applications are totally and completely bug free may not be the highest priority. For one thing, it delays roll-out. For another, not every developer is up to the task. Steve Gibson discussed this briefly on his Security Now! podcast (episode 302, May 26, 2011). The topic was Donald Knuth, the author of TeX. Gibson called him "an artist of software" and marveled at how bug free TeX turned out to be, despite being a massive system. According to Gibson, Knuth ... wrote it in a language that he knew .. and wrote it very carefully ... Now, is that a commercial practicality? No. I mean, he would have been fired by any employer.


14. Software will always be buggy even without economics: Programming is still an art and one best done by the fewest possible people. How many great works of art in a museum were done by a large team working together? Large applications, written by teams of developers, are especially likely to be buggy, either due to communication failures or the inclusion of less skilled developers.


15. Popular software: When software gets brutally popular (think Windows, Flash, Adobe Reader and Java) bad guys devote time and effort to finding bugs that can be exploited. Many times on this blog I suggested avoiding software that has a bulls eye painted on it's back.


16. Bug fixes: The process of installing bug fixes (politely known as patches) to software applications on Windows and Macs is disgraceful, with each application forced to roll its own self-update scheme. It's anarchy. While large corporations can spring for software that installs bug fixes company-wide, smaller organizations and consumers suffer. Thus many, if not most, personal computers are running software that is missing patches to known bugs. I used to recommend Secunia's Online Software Inspector, but it requires Java and I'm hesitant to encourge the use of Java as flaws in old versions are frequently exploited by bad guys.


17. Nothing prevents a program from advertising itself as doing one thing, but when it's installed doing something else too.


18. Windows does not do a great job of defending itself. For example, Patchguard, UAC, DEP and ASLR have all been defeated, at times, by bad guys.


19. Least privilege: Both Windows and Macs have a concept of limited/restricted users and administrative users. Think of it as adult users who can do anything and child users who are restricted from messing up the guts of the system. An important defensive computing tact is to run with the least privileges necessary. Practically speaking, this means logging on to the computer as a limited/restricted user most of the time and only logging on as an administrator/adult when necessary. But, both Windows and Macs default to using administrative level logons, a big security mistake. At the least, Windows XP users should consider DropMyRights. Windows 7, which I hate with a passion, does a great job of running as a restricted user. An explanation of this belongs in the fictional Internet User Guide.


20. Windows autorun: Microsoft keeps trimming it back, but it still exists in Windows 7. It should be thoroughly, completely and totally disabled. Microsoft does not offer this as an option. I did back in January 2009. The technique I described then still works and is still necessary in Windows 7.


21. Motivation: Sometimes, perhaps often, the bad guys are more motivated than the good guys. Maybe its the potential for a huge payday, a sense of pride, the desire for respect from their peers or a sense of nationalism (it has been suggested that some hacking is state sponsored).


22. Bad guys rarely get caught.


23. Competent techies: When hiring nerds, it's hard to judge technical competence. Computers are a new and fractured field. Plus, as noted above, programming is still an art rather than a science.


24. The good guys may not be perfect: Some good guys are not well trained for the task at hand. Some are optimists (only a pessimist will think of everything that can possibly go wrong and plan for it). Some are lazy. Some are intellectually challenged (think boss's brother-in-law). As noted in the first point on this list, the good guys only need to fail once for the house of cards to fall. Then too, some good guys are not good guys at all - it only takes one rogue techie to undermine the good work of their honest techie colleagues.


25. SQL injection: If anything points up the imperfect nature of developers, it's SQL injection, a way of hacking into websites. SQL injection is totally preventable (I say this having worked with databases for many years). That it succeeds, is a mark of sub-optimal application developers. Perhaps lazy, perhaps ill-trained, perhaps an honest oversight here and there, or maybe just under the gun to finish a project as quickly as possible.


26. The bad guys are constantly getting better, both in the sophistication of their software and their scams. They also adapt to pick on the weakest link in the security chain. For example, as Windows got better at keeping itself updated with bug fixes, the bad guys moved on to attack other popular software (Java, Flash, Adobe Reader).


27. Not enough sandboxing: Sandboxing refers to putting a virtual wall around an application to insure that it does not harm the rest of the system. My favorite Windows sandboxing utility is Sandboxie. It can prevent the permanent installation of malicious software on Windows PCs. It does not prevent malware from getting onto a computer in the first place, and the malware can execute if not caught by standard antivirus software. But Sandboxie can prevent malware from permanently residing on a Windows computer. It does not get nearly the attention it deserves. Highly recommended.


28. Antivirus software: Speaking of antivirus software (for Windows), any single product offers flawed protection. Many computers with up to date antivirus software get infected anyway. And, even if an antivirus application detects malware, that doesn't mean it's cleanup of the infection will be perfect.
    For better detection, occasional scans with a different antivurus program are the way to go. Better still, an occasional scan with software that runs off its own bootable CD is the best approach. Microsoft just released their Standalone System Sweeper and many antivirus vendors, such as Avira and Kaspersky, offer something similar. Yet, how many people do this?


29. Google: Bad guys trick Google into listing malicious web pages and images near the top of search results. My defense against this is Web of Trust, a free browser plugin available for Firefox, Chrome and Internet Explorer.


30. The C programming language refuses to die.


31. Newer operating systems (found on smartphones) can remotely disable applications that are determined to be malicious. This is not possible on the older systems used on personal computers.


32. Computer and network security may not get the attention it deserves at companies. This is understandable as it's not an income producing area. Like insurance, it costs money and returns nothing, at least nothing immediate.
    It has been all over the news recently that Lockheed-Martin's network was attacked and somewhat breached. What I find interesting about the story is that as a result of the attack, Lockheed-Martin "took swift and deliberate actions" to increase their network security. Really? If there was any company that should have the best possible computer security its Lockheed-Martin. Yet, even they weren't giving security sufficient priority.


33. All security schemes need constant care and feeding. Automated tools only go so far. But monitoring takes more time/effort/expense than many companies are willing to endure.


34. Judging by the stats I get, virtually no one reads this blog.

El Mal-ware no descansa... Ni por la noche...

Se ha publicado el informe anual de Pandalabs del año 2009, referente al estado de internet y el Malware. Lo cierto es que es impresionante. Durante este último año, se ha detectado más Malware que en los últimos 25 años... Y el informe es bastante pesimista respecto a la evolución de éste. Y yo también lo soy... No dejo de dedicar tiempo absurdo a limpiar y reparar mis propios PCs y los ajenos (el ya consabido "tú que sabes de esto..."). Nunca había tenido un año tan movido como este. He tenido troyanos, virus de pendrive, de todo. Como en los viejos tiempos. Pero ahora asusta un poco más... Desde Internet nos pueden vaciar nuestra cuenta bancaria. Y nunca tanta gente ha tenido la capacidad que tenemos ahora, y de manera tan inconsciente. Nuestros Padres y mayores usan internet con demasiada confianza, con el lirio en la mano. Los que nos hemos crecido con internet y "cacharreamos", somos los más desconfiados. Sabemos de los peligros de los PCs. Los llevamos sufriendo desde su nacimiento, allá por el lejano año 1980. Pero la generación de ahora es la más confiada. Han nacido con internet y lo llevan en su forma de vida. Y no entienden, p.e., que en muchos lugares todavía sea difícil acceder a la red. A veces, es incluso mejor, es lo único que nos protege...

GSM al descubierto (en claro, vamos...)

Según EuropaPress, un investigador alemán ha presentado su trabajo en la 26 edición del congreso "Chaos Communications Congress" o más conocido como 26C3, en el que explica cómo ha comprometido la seguridad de los algoritmos de encriptación del estándar GSM:
"Karsten Nohl, un ingeniero alemán de 28 años, ha conseguido descifrar con éxito el código de seguridad que encripta el 80% de las llamadas realizadas desde cualquier teléfono móvil del planeta. Se trata de la red GSM.
Nohl afirma este que su objetivo es advertir de la debilidad en las comunicaciones móviles, aunque expertos en seguridad advierten que cualquier organización criminal podrá interceptar llamadas en cuestión de minutos al hacerse público el código.
"Esto demuestra que la seguridad actual del estándar GSM es inadecuada. Con esta acción estamos intentando empujar a los operadores a que adopten mejores medidas de seguridad para las llamadas efectuadas desde teléfonos móviles", declaró Kohl durante el 'Chaos Communication Congress', una conferencia para 'hackers' celebrada en Berlín.
Mientras la Asociación GSM, el consorcio de la industria que escribió el código de cifrado, que el trabajo de Nohl es ilegal y que ha puesto en peligro la seguridad de toda la red de comunicación móvil.
"Es teóricamente posible pero bastante improbable en la práctica. Lo que esta haciendo es ilegal tanto en el Reino Unido como en EEUU y resulta difícil de entender que lo haga en aras de la seguridad", expresó el portavoz de la Asociación GSM Claire Cranton.
Por su parte, según recoge el diario 'The New York Times' Nohl afirmó que antes de comenzar este proyecto tomó todas las precauciones legales necesarias recalcando que el 'crackeo' del sistema GSM tenía puramente fines académicos y que en ningún momento ha intentado interceptar ninguna llamada. "No estamos recomendando a la gente que rompan la ley sino advertir a los operadores que necesitamos mejores medidas de seguridad".
Escuchas ilegales
El cruce de declaraciones entre la GSM y Karsten Nohl también reabre el debate sobre si es realmente tan fácil interceptar una llamada efectuada desde un móvil. La Asociación GSM ha remitido un comunicado en el que afirma que cualquier operadora, con una simple modificación del código, puede evitar cualquier intento ilegal de escucha y que además el 'software' y 'hardware' necesario para efectuar tal acción no está disponible para su venta al público.
Sin embargo, Nohl afirmó que no se necesita ni mucho menos aplicaciones con 'copyright' para realizar escuchas ya que hay opciones gratuitas y de código libre para que los usuarios, junto con el código divulgado a través de redes p2p como BitTorrent, puedan "manejarlo a su antojo".
Según Simon Bransfield-Garth, jefe de seguridad de Cellcrypt, una compañía de 'software' con base en Londres, "lo que Nohl ha hecho es poner la sofisticada tecnología para interceptar llamadas, tan sólo en manos de los gobiernos y agencias de inteligencia, al alcance de "cualquier organización criminal bien financiada".
"Va a reducir el tiempo en el que se tarda en interceptar una llamada GSM de semanas a horas y en cuanto se desarrolle más el código será cuestión de minutos", añadió Bransfield-Garth.
El sistema GSM, también conocido como 2G, es el estándar de comunicaciones inalámbricas más usado en el mundo. De las 4.300 conexiones inalámbricas unas 3.500 millones se hacen a través de GSM.
El algoritmo de GSM, técnicamente conocido como el algoritmo A5/1, es un código binario -exclusivamente de 0 y 1- que ha mantenido todas conversaciones telefónicas inalámbricas desde que la norma fuese aprobada en 1988.
En 2007, la Asociación GSM elaboró un sucesor de 128-bit para el A5/1, denominado A5/3 , pero la mayoría de los operadores de red todavía no han invertido en la actualización de seguridad de este algoritmo"

Los filtros de contenidos deberían ser más listos...

A continuación reproduzco un artículo bueno sobre la conveniencia de sofisticar los filtros de contenidos, hoy muy básicos y con filosofía "café para todos y para todo"...

Towards a Kinder, Gentler Big Brother

Walk softly and carry an array of small sticks could be the motto for the HR professional charged with acceptable usage policy. Users are sophisticated about technology. Connectivity is ubiquitous. Web applications are now popular business tools and there is a rich and growing supply of content contributing to a more productive, customer-oriented workforce. It’s time to put away the big stick of one-size-fits-all Internet policies.
Users were once expected to do their jobs within the parameters of an Acceptable Internet Usage Policy (AUP) designed to block pornography, hate content, surfing on corporate time, spam, viruses, spyware and phishing, and to ensure regulatory compliance. While users may have groused about being blocked from X, Y, and Z site, HR and IT gave them no choice. Big Brother was watching, protecting the enterprise his numero uno priority.
But then the web browser went from being an extension of the desktop to become the desktop, at least metaphorically. Now we have more Web-based applications, peer-to-peer voice and video, IM, job and networking sites such as LinkedIn, and the YouTubes and MySpaces--and fewer desktop solutions. The Web has grown in breadth and complexity of content, making the decision to allow or deny a far more nuanced proposition. Users have found ways of getting around older static Web Filters and simplistic proxies by downloading proxy-avoidance software.
Securing the enterprise from the deluge of ever-changing threats and servicing users increasingly dependent on the Web may seem like mutually exclusive endeavors. Granular policy making helps HR and IT strike a balance. Granular policy setting allows HR and IT to meet enterprise security and user requirements case-by-case using multiple triggers such as time, user, IP address and content-based policy filters. Sports, shopping, and other “non-business” sites may be appropriate before and after work hours for different user groups. Blanket blocking of career sites is one way to prevent brain drain, however HR needs access, and allowing your marketing staff to mine LinkedIn and other career sites for competitive intelligence is good for the bottom line.
A granular approach allows IT to selectively allow certain web sites and deny specific content within that website for individual users or user groups, depending on their jobs and information needs. Picture the executive assistant who can’t make the CEO’s plane and hotel reservations because IT has blocked her (and everyone else in the company) from travel sites. Since executables can be spyware and also updates from software providers, how do you tell the difference? Should streaming video and audio be blocked from entertainment sites? Do you also block streaming media from a financial site?
A flexible usage policy applies to “personal business” as well. The CEO who can’t access a sports site to find out the final score of a football game is likely to be just a teensy bit annoyed with IT. The receptionist who keeps leaving her post to chat with colleagues may be more likely to stay in her desk if she has at least limited access to YouTube. The same company would possibly be better served if the hourly contract employee emailing his buddies throughout the day were blocked from Web-based email sites.
Customization Ensures Global Compliance
The gentler approach to policy setting also enables enterprises to comply with a complex array of government regulations and privacy laws. In the U.S., regulations abound. Some are national-- Sarbanes Oxley (SOX), the Gramm-Leach-Blilely Act (GLBA) and HIPAA (Healthcare Insurance Portability and Accountability Act) and SEC 17; others, such as California¹s Security Breach Information Act, are state-mandated. The terrain gets even more complex for companies doing business internationally, and the ability to implement country-specific policies can mean the difference between compliance and expensive fines. All countries have distinctly different privacy laws, requiring customized Web policies.
In Germany, everything users communicate is considered private unless the user has specified it’s not. This poses challenges for monitoring web and email usage. But even putting aside legal restrictions on Internet security for a moment, does it make sense to intercept encrypted traffic between an employee and a respected shopping site such as Amazon? How about to an unknown or suspicious website? The Web policy solution system you use should allow you to differentiate from among the category of websites, enabling you to allow access where and when appropriate and preserving bandwidth used to filter what is essentially benign web usage.
Many organizations block streaming video as a general policy. But streams from a financial website may provide valuable information for the user depending on his or her job. YouTube is a more obvious productivity and bandwidth drain and should be blocked for most users--but perhaps not for your marketing staff who may want to use YouTube for marketing purposes.
Again, the ability to define policy based on multiple simultaneous parameters is the key. Are you able to associate a given policy with this user at this PC at this time using this browser, visiting this web site, downloading this type of file? This level of granularity is essential to defining an AUP suitable for the ever-changing Web environment.
The kindler gentler big brother communicates with users. The tenor of the conversation between HR and users should be friendly, not authoritarian. Automated alerts triggered by a policy filter help inform employees about usage policies. If a user attempts to access a blocked site, for example, the alert should explain the policy and any exceptions to that policy—for example, limited access to shopping sites outside of business hours. When an executable has been blocked and the rest of the requested content allowed, the user needs to know. Personalized alerts change user behavior. The employee who wiles away the hours on eBay may think twice about getting on eBay again if she knows IT and HR are aware of her activity.
And yet, it’s important to treat users like mature, discerning adults, allowing them to make their own decisions. Rather than a blanket policy of blocking sports, travel, auction, and shopping, a much better approach is to present users (exempting CEO, perhaps) with a message that asks them to consider the productivity merits of visiting sports sites or eBay during working hours. Provide them with a link to the AUP for more information. Then allow access. If enterprises must exercise control, and indeed they must, let Big Brother walk softly.