domenica 30 ottobre 2011

Best of the Week - 30 ottobre 2011

That's the new post of the "Best of Week" series, in which you can find my personal selection of the best security resources of this week.

Hope you enjoy it.

@computersandlaw Cloud Legal Project have a recording of Dr Ian Walden's talk on law enforcement access to cloud data available at

@FSecure How to Create a Fake Identity and (Try to) Stay Anonymous Online

@CiscoSecurity Security Quiz - easier than the one we had at BlackHat, have you tried it yet?

@nigroeneveld Using Pastebin Sites For Pen Testing Reconnaissance

@andreglenzer Further evidence of Certificate Authority break-ins:

@paulsparrows XML Encryption Cracked! #Infosec

martedì 25 ottobre 2011

Andrea Zapparoli Manzoni - 2011, InfoSec’s “Annus Horribilis”

The "Voci Amiche" section of Punto 1 starts again hosting contribution from other security experts.

I'm very happy to announce that we are beginning with a good friend of mine and a very capable expert: Andrea Zapparoli Manzoni.

His experience and passion in his work in the field of social media security make him a prominent figure among the Italian security experts.

I agreed with Andrea that his post will be divided in two parts so... stay tuned!!

Andrea, the floor is yours!

Social Business Insecurity: Espionage, Cyberwar and Trans-national Cybercrime

A 2008 report of the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency noted: ‘we began with one central finding: The United States must treat cybersecurity as one of most important national security challenges it faces’ (CSIS 2008). 
Let's admit it: three years later things didn’t get any better, on the contrary, they seriously worsened. Without fear of being dubbed as scaremongers, we can say that 2011 was a real "annus horribilis" for InfoSec, probably the worst ever, and that, at least until now, both industry self-regulation and law enforcement oversight have almost completely failed in the cyber security space. 
The same foundations of e-commerce, home banking and of any other sensitive online activity (including expressing dissent) have been shaken by the recent attacks on the Certification Authorities infrastructure (Comodo, DigiNotar and even RSA, in a sense), leaving us wondering whether we should completely rethink the trust model that is one of the cornerstones of the Internet today.  
The prevailing compliance-focused security model is showing all its shortcomings too, and has clearly become obsolete when compared to the evolution of threats: not only diffuse cyber-hacktivism has fully demonstrated its potential with LulzSec and Anonymous (ask Sony!), but high tech skills are now available for rent on a global scale to a variety of customers, including nation states, corporations and other interest groups (i.e. criminal cartels and terrorists), changing the security game forever. 
We're also witnessing the birth of trans-national cyber mercenary units and the unregulated proliferation of shadowy private contractors (the HBGary scandal being just a glimpse of what is brewing in the cyber-underworld, well beyond the reach of public scrutiny).
The feeling is that the situation is getting out of control, and that all the advantages that the new digital domain has brought to our everyday's lives are now at risk of being seriously hindered by the stupendous growth of cyber threats and of their intensity, if this trend isn’t somehow reversed.

Social Business Insecurity 

While Social Business is touted as the new frontier of economic activity, attracting huge investments and creating a lot of expectations, associated risks are completely underestimated.
The marketing hype surrounding the steep rise of Social Networks adoption has masked the reality of a corresponding growth in espionage, cyber crime and cybewarfare activities performed through them. 
The potential consequences of organized cybercrime, cyber-espionage and cyberwarfare activities coupled with Social Media platforms are, as of today, not well understood and mostly ignored.
With an estimated billion logged users per day, Social Media are the “place” where everything happens nowadays, almost in real time and without any serious monitoring capability in place. It is extremely hard, both economically and technically, to react to Social Media delivered threats in a timely and organized manner, which can then be amplified and spread to a world-wide audience in a few minutes.
Furthermore, it seems that the owners of Social Media platforms have no interest, or at least are not paying enough effort, into making their digital environments less prone to misuse.

Cyber-espionage (expecially from the far east) has reached never seen before levels of sophistication and is now the world's primary cause of intellectual property theft, becoming more aggressive by the day, while some analyst are already stating that we just entered a new “Cold Cyberwar” age.
With regards to cyberwar, many developed countries are loudly declaring that they are defining ad-hoc cyberwarfare doctrines and building up both offensive and defensive cyber capabilities, establishing military commands and special hybrid groups (military and civilian) for the purpose, while at the same time they are getting every day more vulnerable and susceptible to devastating cyber-attacks on their digital infrastructures, caught in a self fulfilling prophecy.

Meanwhile trans-national cybercrime is growing exponentially (+250% in 2011 compared to 2010), having reached an overall estimated 2011 turnover of 7Bn $ while inducing worldwide direct and indirect losses for 388Bn $ (a 55:1 ratio!), an amount of lost wealth that is bigger than Denmark’s GDP.
For their very nature, Social Media are not only affected by the usual Internet threats (frauds, scams, spam, phishing, whaling, identity theft, malvertising and infections hit tens of millions of users every year), but are also becoming the new tool of choice for OSInt and enemy groups infiltration, social engineering and PsyOps, unfair competition, surveillance and target acquisition (as was recently demonstrated in Lybia and during the “Arab Springs”). Social Media have now become not only the Arcadia of digital social interactions, but also the equivalent of a world-wide, free C4SIR for any antagonist group, a perfect cyberweapons delivery system and, of course, cybercrime’s preferred playground.
In this scenario it is clear how Social Media platforms themselves have become not only a major infection vector but at the same time a weapon, a battlefield and (therefore) a primary target, which makes them quite a dangerous environment for establishing large scale business operations.
Also, due to the fact that Social Media Security awareness is completely lacking, not only within the general population but also among law-makers and top managers, laws, policies and safe behaviours are also lagging years behind the adoption of the technology, in all environments. 
This creates a huge, nearly untractable problem for nowadays security teams, because of the sheer number of users involved, and because 
1) SN are intrinsically based upon a (mostly false) sense of trust between their members, 
2) SN authentication methods are weak to say the least and identity is not verifiable (nor verified), 
3) attacks are mostly performed at the semantic level, well above firewalls and antimalware defenses, and 
4) mobile devices and the “consumerization” of Enterprise IT (which is spreading also among the military!) are making traditional defenses unworkable. 
There are specific countermeasures that we can apply in order to mitigate Social Business related risks, but they require huge investments, a strong committment, diffuse education at all levels, organizational and technological radical changes, and the hard work of many skilled people (not only in the InfoSec field) in order to be effective. We’ll discuss them in the next article, stay tuned.
Andrea Zapparoli Manzoni was born in Milan in 1968.
With a multidisciplinary background both in political science and in computer science, since 1997 he developed an active interest in ICT security, with particular reference to GRC (Governance, Risk and Compliance), cybercrime and cyber warfare issues.
Over the years he worked in the IDM, IAM, DLP, Anti Fraud, Security Intelligence, Forensics, Vulnerability Assessment & Management fields in Enterprise, Industrial, Central PA and Gov-Mil environments.
He writes articles and essays on InfoSec topics and follows very closely all developments in Cybersecurity, working as a trusted advisor with national and international organizations.
He partecipates to the activities of CLUSIT (Italian Association for Information Security) speaking at conferences, contributing papers (two ROSI patterns about IAM and DLP, seminars about SCADA Security and Social Media Security) and spreading the culture of IT Security in Italy.
In addition to collaborating with numerous Italian and foreign companies, he is the founder and CEO of iDialoghi, a consulting firm specializing in the design and implementation of advanced information security solutions, including the Social Business Security field.

domenica 23 ottobre 2011

Best of the week - 23 ottobre 2011

Duqu, the son of Stuxnet, has attracted many attentions this week. I has my own opinion on this topic and I'm trying to obtain some confirmations. Next week, probably, I will publish something on this subject.

Here's my list of the best security resources of the week.

Hope you enjoy it.

@marcomorana "@WebSecurityNews: Hackers Spied on Board Directors After Nasdaq Breach - Enterprise Security Today"

@AdobeSecurity Note: The next quarterly #AdobeReader, #Adobe #Acrobat #security updates have been rescheduled for Jan 10, 2012.

@josephmenn FBI official says secure, alternate Internet is needed to protect critical systems -

@marcoriccardi The Biggest Security Breaches Of All Time

@FSecure Who gets your Internet passwords when you die?

@nigroeneveld Using Pastebin Sites For Pen Testing Reconnaissance

domenica 16 ottobre 2011

Best of the Week - 16 ottobre 2011

Here's my list of the best security  resources of this week.

And this week we serve... many videos!

Hope you enjoy!

@mthorbruegge Cyber Security: Thousands of video lectures from the world's top scholars

@jduck1337 Check out @0xcharlie 's @PaulDotCom interview on Pwn2Own and more -…

@taosecurity Honker Union of China reorganizing for defense, plans to avoid cybercrime Probably true; want to make less risky money?

@gianlucaSB Public/Private Collaboration to Fight Botnet Plague

@josephmenn Where are countries most vulnerable to cyber attacks? Do we need an "Internet 2"? More stories are up at…

@DoDRecruiterDC How to Secure Federal Data in the #Cloud #bigdata #infosec #cybersecurity via @spinzo

@0xcharlie Why you shouldn't report bugs (…) Especially web bugs!

venerdì 14 ottobre 2011

MUMBLE - Di droni, malware e SCADA

Questa riflessione nasce da una serie di notizie che hanno catturato l'attenzione dei media in questi giorni.

La prima è sicuramente la più nota: è stata scoperta un'infezione, causata da un malware, sui sistemi di controllo degli aerei senza pilota americani (i droni appunto) che vengono utilizzati per le missioni di eliminazione mirata dei militanti di Al-Qaeda in Pakistan.

E qui sorge la prima serie di riflessioni e domande. Ma è possibile che questi sistemi, così critici da un punto di vista tattico e strategico, in grado di lanciare attacchi cinetici che causano la morte di esseri umani, siano così poco protetti da cadere vittime di un malware qualunque?
Se la risposta è si, vuol dire che gli americani sono tutto fumo e niente arrosto.
Se la risposta è no, allora vuol dire che non è proprio un malware qualunque quello che li ha infettati. E quindi, se si prosegue su questa linea di pensiero, ci dobbiamo chiedere: "Ma come si infetta un sistema d'arma come quello?". Non credo che ci siano allegati da aprire o link malevoli da cliccare. Restano quindi: l'accesso fisico alle macchine (tipo chiavetta USB o dischi vari), gli accessi diretti via rete o, peggio ancora, le "logic bomb" installate su qualche componente software o hardware. Insomma scenari che prevedono un pesante impegno di intelligence, risorse professionali e tecnologie d'avanguardia. In ogni caso scenari da brividi.

Non bastasse questo, la seconda notizia è che i tecnici che hanno scoperto il malware hanno cercato di bonificare le macchine infette senza coinvolgere i gruppi che si occupano di cybersecurity per l'aviazione americana. Come dire... "Do it yourself". Un fatto gravissimo se fosse vero.

La terza notizia è che un comunicato ufficiale minimizza l'accaduto e asserisce che si è trattato di un banale keylogger destinato a rubare credenziali di giochi on line ad infettare il sistema. Il vettore d'infezione? Un disco USB infetto. Tutto fumo e niente arrosto dunque? Non ci giurerei.

Il mio commento a questo punto è: Stavolta è andata bene ma se qualcuno decidesse di organizzare un attacco, vista la situazione, potrebbe certamente fare dei gran bei danni, senza dover necessariamente ricorrere a scenari da "Mission Impossible". Come Stuxnet ha d'altronde insegnato a tutto il mondo.

L'ultima notizia che mi ha colpito è che i sistemi di funzionamento dei motori dei 747, anche quando sono in volo, possono essere acceduti da remoto dai tecnici dalle compagnie aeree per modificarne la configurazione dei parametri. E che la sicurezza non è certamente il punto forte dell'operazione.

Fermatevi un attimo. Respiro. E adesso rileggete la frase. Se non vi siete spaventati vuol davvero dire che avete un'incrollabile fiducia nel prossimo e nella tecnologia.  

Io no. Io sono spaventato da queste notizie. Se provate a unire tutte queste notizie la sensazione è che ci siano in giro degli apprendisti stregoni che mettono tutti quanti a rischio con scelte che non garantiscono un pieno controllo della situazione. E credo quindi che un ripensamento nell'uso di questo tipo di tecnologie sia necessario. 

Auspicabilmente prima che qualche evento ci metta tutti davanti all'evidenza dei fatti. 

domenica 9 ottobre 2011

Best of the Week - 9 ottobre 2011

This is the week in which Steve Jobs has passed away. My thoughts are for his family and his friends. I'm convinced that the world is a poorer place without him.

Here my list of best security news of the week.

Hope you enjoy it.

@GovInfoSecurity #NIST Issues Continuous Monitoring Guidance. #infosec #ITsecurity #cybersecurity

@jduck1337 Check out @0xcharlie 's @PaulDotCom interview on Pwn2Own and more -…

@lastknight Online Penetration Testing Tools

@CompuSecure Chrome extension enables remote computer control

@CERT_Polska_en #Malware (probably a #keylogger) hits Predator and Reaper US military drones! Security specialists can't remove it...…

@nicfab Disegno di legge canadese sull'obbligatorietà della data breach notification (The proposal for a Canadian data breach notification law)

@RealSecurity [Updated] Malware Removal Guide for Windows - added #malware symptoms… #security #virus

martedì 4 ottobre 2011

Ottobre 2011: il mese della...

Non ho resistito. L'occasione era troppo ghiotta. Due iniziative che occupano il mese di ottobre, due Stati alle prese con problemi diversi e sensibilità diverse, due modi di interpretare il futuro e la tanto agognata crescita, due modi di coinvolgere i cittadini in un'iniziativa pubblica con risvolti sociali.

Ma quali paesi? E quali iniziative?

1 - Stati Uniti - Ottobre 2011 il mese della cybersecurity

2 - Italia - Ottobre 2011 il mese del riciclo

Fermi! Non banalizziamo, non lasciamoci subito andare a grida di dolore. Superiamo il momento di tristezza immediata e proviamo a ragionare.

Sarà solo la nostra miopia a farci occupare di "monnezza" invece che di cybersecurity? Probabilmente no, probabilmente queste differenti scelte nascono da differenti visioni del proprio futuro come paese e da differenti contingenze nei problemi percepiti dalla popolazione.

Entrambe le iniziative partono dalla constatazione che la consapevolezza e l'educazione sono componenti essenziali per riuscire a modificare i comportamenti dei cittadini. E' però certo che se oggi si lanciasse in Italia un'iniziativa come quella statunitense, visto che non c'è una sensibilità diffusa su questo tema, sicuramente qualcuno storcerebbe il naso e penserebbe che l'iniziativa nasce per far "contento" qualcuno. 

Abbiamo sicuramente ancora tanta strada da fare... speriamo almeno che non sia invasa da cumuli di "monnezza"

domenica 2 ottobre 2011

Best of the Week - 1 ottobre 2011

Many interesting things have happened this week: a dangerous botnet was neutralized and an interesting report was released.

Here you can find my list of the best security resources of the week.

Hope you enjoy it.

@teamcymru Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case

@CiscoSecurity Cisco SIO: Preparing for DNSSEC- Best Practices, Recommendations, Tips and Traps

@FSecure The dangers of online crime: Q&A with Mikko Hypponen

@SCADAhacker October is Cyber Security Awareness Month: DHS Eval Tool - SH: Make your #ics community aware of your security policy.

@stefan_frei RT @dsancho66: Infographic: If You Get Hacked, What Do You Stand to Lose?:

@ibmxforce We just published our 2011 Mid-Year Trend and Risk Report: #security #ibm